Advanced encryption methods, mobile payment security and various other technologies figure to be major topics once again when the Payment Card Industry Security Standards Council's participants gather in Orlando, Fla., Sept. 12 to 14 for the 2012 North American Community Meeting.
The council uses an annual community meeting format to establish industry topics for discussion and the eventual shaping of PCI standards.
As part of the open standards development process, the council solicits worldwide input from its participating organizations – merchants, banks, processors, hardware and software developers, point-of-sale vendors and others – to review and share at the community meetings. More than half the input received during a formal feedback period prior to the meeting originated from organizations outside of the United States, the council says.
The PCI council has a difficult job in establishing industry standards, mainly because so many merchants don't want to comply because of the expense involved, says Paul Martaus, merchant acquirer consultant and industry researcher for Mountain Home, Ark.-based Martaus and Associates.
"It's a little bizarre in that the PCI council is tasked with developing systems to keep data secure, but it doesn't really have any authority to police the situation," Martaus says.
The meeting also does not generate a tremendous amount of buzz amongst industry participants because "everyone understands it's necessary" and is primarily a way for the payments industry to police itself, he says.
"You don't want the federal government trying to regulate this stuff because it's really complicated and those in the industry are better suited for it," Martaus says.
The current PCI structure allows for plenty of contributing organization feedback and input into developing standards, but it lacks an outlet for merchants who want a voice when dealing with a PCI violation, Martaus says.
"Merchants who get angry about being accused of a PCI violation and fine from the card networks that they deem too high often find themselves with no one to complain to about it," he adds.
Susan Matt, CEO of ThoughtKey Inc., an Atlanta-based PCI consulting firm, says when merchants have an issue with PCI standards they are generally seeking a different interpretation of a standard.
"There really is not a method for changing a standard outside of PCI's normal development process," Matt says.
Indeed, the council received feedback in five key categories for establishing discussions at the community meeting, with 34% of participants requesting a "change to existing requirement/testing procedures."
When merchants lose money because of a breach or a fine, they feel alone with no one to turn to, Matt says. "But PCI has nothing to do with [levying] fines and the council is not going to defend a merchant in court," she adds.
Overall, Matt says those in the industry feel the PCI process and what results from the community meetings has improved.
"It's a tough thing to get everything right when developing standards, but I think most people believe that what comes out of the meetings has been more valuable," she adds.
This year's meetings won't lack for lively topics and discussions, says Bob Russo, the PCI council's general manager. "We have a lot to talk about," he says.
Much of this year's meeting will focus on the PCI data security standard requirements, as participants seek more clarification and guidance on complex requirements like encryption and key management, the council states in a press release.
Participants also suggest updating password requirements, including authentication that goes beyond just using passwords. In addition, the council is seeking guidance on the scoping and segmentation of payments systems, participants said.
The council has scheduled its European Community Meeting for Oct. 22 to 24 in Dublin, Ireland.