PCI Update: 'No Surprises'

After months of deliberation, the PCI Security Standards Council is on the verge of releasing the 2010 update of the Payment Card Industry Data Security Standard

What can card issuers, merchants, payments processors and other interested parties expect? No big surprises, according to Bob Russo, general manager of the council.

In an exclusive interview, Russo says the new update includes some clarifications and guidance that will create greater flexibility for merchants -- but no new requirements. "That's good news," says Russo, who goes on to discuss:

  • A summary of the clarifications and areas to be touched by the new guidance;
  • Timeline for release, discussion and implementation of the update;
  • Why payment card transactions will be even more secure as a result of these measures.

Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.

TOM FIELD: Well, Bob, the question everybody wants to ask now: What can you tell us about the forthcoming PCI Update?

BOB RUSSO: Well, I think first and foremost it is a direct result of the feedback that we got. Actually, we are providing greater clarity on PCI-DSS as well as PA-DSS. We are calling for improved flexibility for merchants, while managing the risks and the threats that they are seeing as well, and we are aligning with industry best practices. And I guess most of what you will see out of the new versions coming later in September and October will be clarifications on scoping and reporting.

So, relatively minor changes, no new requirements to the standards -- that's good news -- and the clarifications basically are there to remove any kind of confusion around what the intent of the requirement is, and there will be additional guidance to increase your understanding and help provide further information on particular topics. And then of course there are emerging threats and changes that may come into play here, and if there are they will require some evolvement in some of the requirements, but at this point no. So, basically I think it is a reflection, at this point, on the growing maturity of the standard and the strong framework that it provides for protecting cardholder data.

FIELD: Bob, when you think of each of your constituents, the card companies, the issuers, merchants, processors, etc., what is the headline news for these parties?

RUSSO: Well as I said earlier, the standards are becoming more mature. You know, most of the revisions, as I said, are simple matters of clarity and additional guidance. Spelling out what the changes are right now, which we will do later this week, makes for no surprises for these people.

And basically it gives us the opportunity to align the DSS and the PA-DSS to make it easier for merchants to align any kind of efforts that they might be having going towards dealing with both PA-DSS and the DSS. And then of course with the new lifecycle, there is plenty of time to sunrise and sunset the old version and new versions -- give everybody enough time to implement them and give us better feedback from their experiences with it.

FIELD: Bob, a lot of things have come up in discussion over the last couple of years -- tokenization, end-to-end encryption. Which areas do the clarifications not address?

RUSSO: Well, the areas that you mentioned will not be part of the requirements. There will be additional guidance coming later in the year, so at the community meeting as well as after the community meeting we will be issuing guidance on CHIP for example, point-to-point encryption, tokenization. And basically what we will be doing is lining those up with the standards and comparing them -- letting people know that if in fact they are using one of these technologies (and of course we encourage layers of security, which these are) ... this is how it lines up with the standard.

In one case or another you may have already satisfied one or more requirements by using one or more of these technologies, so that is what you will see. It won't be anything in terms of new requirements having to do with any of that.

FIELD: Bob, give us a sense of the deliberations and the tough decisions even that you have had to go through to arrive at this stage that you are at now.

Around the Network