This article appears in the May 7, 2009, edition of ISO&Agent Weekly.
More than 40 payments-industry professionals are expected to attend a workshop this week to discuss a new standard to protect sensitive cardholder data, says Sid Sidner, a member of the Accredited Standards Committee X9, which oversees standards governing the use of PINs online and similar measures.
Spurred in part by Heartland Payment Systems Inc.'s effort to improve payment security, the meeting will examine ways to improve security between the point-of-sale terminal and the acquirer, Sidner, director of security engineering at ACI Worldwide Inc., a New York-based payment-systems software company, tells ISO&Agent Weekly.
Though such work may take a couple of years to produce a working standard, the outcome could make it easier for ISOs to help their merchants protect their payment systems under a unified security protocol.
That work means listening to merchants, and merchants are more interested in taking an active role in securing payment systems, says Sidner.
For example, the Merchant Advisory Group, a trade association representing large merchants, contacted the X9 committee at about the same time Sidner suggested adding a discussion of a new encryption standard to this week's meeting.
Based in Irving, Texas, the group originally formed in 2005 as merchants processing with Chase Merchant Services. In 2007, it became independent of Chase and opened membership to all merchants, regardless of their acquirer relationship, the association's Web site says.
The path between a terminal and the acquiring bank is just one piece of the payments infrastructure, "but it's a small path where we can make changes," Sidner acknowledges. "We can't easily change the way the whole card system works."
Sidner is hoping for a lot of discussion. "The idea is whatever comes out of it will be submitted to the X9 committee," he says.
Though Heartland is involved now, Cindy Fuller, executive director of the Annapolis, Md.-based committee, says the idea of developing a standard was bandied about before Heartland's security breach. The committee develops, maintains and promotes standards for all financial services in the United States.
The committee's work does not replace Heartland's own efforts, but it is a welcome addition, a Heartland spokesperson says.
Once the workshop submits its idea to the committee, a draft of the standard will be available 10 to 12 months later, Fuller says. A published standard should be ready 24 months after the proposal's initial submission, she says.
Whatever is proposed, Fuller is convinced that merchants want something simple to use.
"Merchants are telling us we can't have three to four different solutions," Fuller tells ISO&Agent Weekly. "We have to have a more streamlined solution."
Princeton, N.J.-Heartland is hosting the meeting this week in Plano, Texas.