Because 2012 represents a “feedback year” in the Payment Card Industry Security Standards Council’s three-year cycle for establishing data-security standards, new council Chairman Mike Mitchell figures to absorb plenty of viewpoints about issues facing the industry along with the traditional complaints about compliance testing and costs.
Mitchell, who also is vice president of global network operations at American Express Co., became the new PCI council chairman Jan. 1, the start of a year in which the council intends to tackle online and cloud computing data-security issues.
In addition, the council will assign a special interest group to research risk-based approaches to payment-data security, Mitchell tells PaymentsSource. The group would provide the feedback used to establish standards that require merchants to target first the payment-acceptance areas that represent the largest risk, he adds.
“I love being involved in the feedback cycle because so many people get involved,” Mitchell says. “It used to be that PCI participating organizations would think about data security only when something went wrong; now they are thinking about it well in advance.”
In being active with the council since 2006, Mitchell has been around long enough to know that, besides addressing data-security issues, the council has to do its fair share to create a positive industry image for itself.
Despite the services the council provides, many in the payments industry continue to struggle with the compliance rulings and costs involved, acquiring industry consultant Paul Martaus of Mountain Home, Ark.-based Martaus & Associates, tells PaymentsSource.
“The PCI council has an incredibly difficult and complex job just to keep its hands wrapped around the whole issue of data security,” Martaus says. “But I believe an awful lot of merchants and processors feel it is a waste of time and effort.”
Detractors believe they can take the money spent to be PCI compliant and put it toward a “total data security” system on their own, Martaus says. That notion suggests that many have the perception that maybe PCI standards don’t go far enough, he contends.
But Bob Russo, the PCI council’s general manager, says the council continues to move toward services and training that keep abreast of the security issues.
“Merchants generally approve of the PCI-compliance process because they know less card data is being breached because of it,” Russo tells PaymentsSource.
The council incorporates a data security product-validation program this year in which trained PCI personnel will review vendors’ security products as they are developed, then validate them for use in various levels of PCI compliance, Russo tells PaymentsSource.
“We will have those in our assessment community trained in the third quarter of this year, and then we’ll start seeing the validated products listed on the PCI website,” Russo adds.
The validation program represents one step in the PCI-compliance process that can help reduce the scope of what needs to be tested in the merchant’s payments system. It does not, however, on its own make a merchant PCI compliant, Russo says.
In addition, the council will address a topic that remains mysterious to many in the industry–data security in cloud-based systems, Russo notes. It represents another phase of compliance that merchants did not consider even a few years ago, he suggests.
“Cloud security is more complicated because there are more moving parts,” Russo says. “Actually, there is no magic involved because data security is basically the same.”
However, with cloud computing, payment data from as many as 50 different merchants can come to the same virtual server instead of one merchant sending data to his own computer server, Russo says.
Some in the industry may have concerns about the costs of PCI compliance, or they fear paying fines if found to be noncompliant. But the council has a major responsibility, Martaus says.
“PCI is charged with keeping the whole card-payments system viable, and there is no doubt about that,” he says. “If the consumer loses faith in the system and stops using cards, where does that leave everybody?”
What do you think about this? Send us your feedback. Click Here.