New security technology may surface in the future as part of the mobile commerce age, but the Payment Card Industry Security Standards Council intends to be in the security business for the long haul.
The PCI council continues to expand its reach, with the intent of remaining a strong guide for data security well into the future, says Bob Russo, general manager of the PCI Security Standards Council.
We are not working in an ivory tower, Russo says. We are a global payment organization, not a payment scheme.
The council has met with the Federal Reserve Banks to discuss and develop PCI data security standards and two weeks ago, met with the National Institute of Standards and Technology, a U.S. Department of Commerce agency, Russo says.
We have a variety of people participating in developing our standards, Russo adds. We have discussions with the European Central Bank and meetings with the White House because we have to work together on this.
The PCI data security standards will remain the model for card data safety, mainly because PCI has worldwide reach through the card brands to ensure security, Russo says. Proof of that came last week, as more than 400 people attended the councils seventh annual North American community meeting in Las Vegas, where participating organizations and assessors provided feedback on the proposed new PCI DSS 3.0 standards that will be released in November.
PCI is valuable, it creates a standard that provides the baseline for merchants to adhere to and they continue to establish a series of best practices, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
Despite some rhetoric among merchants who decry the costs of PCI compliance, Conroy says as long as Personal Access Numbers are used to access payment data, there will always be a place for PCI standards.
Frankly, people should have been doing all of this [security measures] a long time ago, because some of it is just no-brainer stuff, Conroy says. Yet, some merchants and coders I have spoken to cant even spell PCI, and its not that hard to spell.
PCIs intent is to make compliance easier and for security to become a basic part of operating a business, says Troy Leach, the council's chief technology officer.
The notion of making security measures business as usual was a key theme at the community meeting, Leach says.
The council obtained feedback from attendees regarding memory control mechanisms in the payments network in light of data breaches and system failures at the point of sale, Leach says. Memory control mechanisms represent network locations where data is temporarily stored during transactions.
Controls are not that mature and there are growing threats in misuse of memory in cardholder data, Leach says. We want to dip our toe into that space more and reinforce it more in the training we offer.
Key issues facing PCI are addressed in the new standards. More guidance is expected regarding increasing the responsibilities of third-party service providers, particularly in terms of parties working on a payments network agreeing to identify who protects cardholder data in such circumstances.
In addition, the council will address the roles of cloud service providers, as well as simple, process-oriented controls for card-present transactions at the point of sale, Leach says. The council also wants to address cost-effective ways to prevent skimming and other attacks, he adds. In addition, the standards continue to reflect more security measures for payment processor systems.
The new standards may introduce enhanced testing procedures to help clarify the level of validation expected of merchants for each PCI requirement.
In an ironic twist, the success of PCI data standards is illustrated in the uptick in account takeovers through cyber-attacks, Aites Conroy says.
As card data is better protected, hackers are going after other identification credentials to eventually get access to card data, Conroy says.