PCI Update: 'No Surprises'
After months of deliberation, the PCI Security Standards Council is on the verge of releasing the 2010 update of the Payment Card Industry Data Security Standard

What can card issuers, merchants, payments processors and other interested parties expect? No big surprises, according to Bob Russo, general manager of the council.

In an exclusive interview, Russo says the new update includes some clarifications and guidance that will create greater flexibility for merchants -- but no new requirements. "That's good news," says Russo, who goes on to discuss:

  • A summary of the clarifications and areas to be touched by the new guidance;
  • Timeline for release, discussion and implementation of the update;
  • Why payment card transactions will be even more secure as a result of these measures.

Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.

TOM FIELD: Well, Bob, the question everybody wants to ask now: What can you tell us about the forthcoming PCI Update?

BOB RUSSO: Well, I think first and foremost it is a direct result of the feedback that we got. Actually, we are providing greater clarity on PCI-DSS as well as PA-DSS. We are calling for improved flexibility for merchants, while managing the risks and the threats that they are seeing as well, and we are aligning with industry best practices. And I guess most of what you will see out of the new versions coming later in September and October will be clarifications on scoping and reporting.

So, relatively minor changes, no new requirements to the standards -- that's good news -- and the clarifications basically are there to remove any kind of confusion around what the intent of the requirement is, and there will be additional guidance to increase your understanding and help provide further information on particular topics. And then of course there are emerging threats and changes that may come into play here, and if there are they will require some evolvement in some of the requirements, but at this point no. So, basically I think it is a reflection, at this point, on the growing maturity of the standard and the strong framework that it provides for protecting cardholder data.

FIELD: Bob, when you think of each of your constituents, the card companies, the issuers, merchants, processors, etc., what is the headline news for these parties?

RUSSO: Well as I said earlier, the standards are becoming more mature. You know, most of the revisions, as I said, are simple matters of clarity and additional guidance. Spelling out what the changes are right now, which we will do later this week, makes for no surprises for these people.

And basically it gives us the opportunity to align the DSS and the PA-DSS to make it easier for merchants to align any kind of efforts that they might be having going towards dealing with both PA-DSS and the DSS. And then of course with the new lifecycle, there is plenty of time to sunrise and sunset the old version and new versions -- give everybody enough time to implement them and give us better feedback from their experiences with it.

FIELD: Bob, a lot of things have come up in discussion over the last couple of years -- tokenization, end-to-end encryption. Which areas do the clarifications not address?

RUSSO: Well, the areas that you mentioned will not be part of the requirements. There will be additional guidance coming later in the year, so at the community meeting as well as after the community meeting we will be issuing guidance on CHIP for example, point-to-point encryption, tokenization. And basically what we will be doing is lining those up with the standards and comparing them -- letting people know that if in fact they are using one of these technologies (and of course we encourage layers of security, which these are) ... this is how it lines up with the standard.

In one case or another you may have already satisfied one or more requirements by using one or more of these technologies, so that is what you will see. It won't be anything in terms of new requirements having to do with any of that.

FIELD: Bob, give us a sense of the deliberations and the tough decisions even that you have had to go through to arrive at this stage that you are at now.

RUSSO: Many considerations go into introducing changes to these standards, not the least of which is what's best for payment security. That is uppermost on our minds. That being said, this is a global standard, so global applicability to local markets is very, very important.

Very often I am traveling outside of the United States. As an example, if I am in Europe, I can get in a car and drive 20 minutes and cross a border. I cross a border, and a whole new set of legislative issues has to be dealt with when it comes to protecting this stuff, and privacy issues as well. So we have to make sure that it is applicable and it can be used in all of these markets.

Of course, sunset dates for the other requirements is an important consideration as well, and the cost benefits of making these changes to infrastructure have to be well thought out. I mean, if we make something required in the standard and it fundamentally changes the way people apply the standard internally and that costs a huge amount of money; that is something we really, really have to weigh heavily before we decide to make any changes.

And then of course there is a cumulative impact of a lot of these changes as well. We need to make sure that we are being keenly aware of that as well.

FIELD: So what has gone into the decisions you have made? I know you have spent a good deal of time looking over research that you conducted last year.

RUSSO: Well, as I said, the changes come directly from the real-world implementation of this. I mean, this feedback comes from the merchants and the processors and all of our participating organizations and global stakeholders, so I think it is a good reflection of what is actually happening out there in the world. People are interested to understand with more clarity what these standards actually mean, and more importantly what is the intent of a requirement, so that they can properly implement it.

FIELD: Bob when you think of all these different parties around the world, as you say, who is going to be unhappy with what you release this week?

RUSSO: You know, I don't think anyone is going to be unhappy. Again, a direct result of feedback, global feedback, and very, very important, if you look at the feedback that we got this year -- I continually say this is a global standard; this year gives us lots and lots of evidence of that.

Over 50 percent -- I think 54 or 56 percent of the feedback that we got came from outside the United States. So this really is a global standard, and the feedback that we are getting is global, and I think it is a really good reflection of what the industry is looking for and what they are saying.

FIELD: Bob, give us a sense of timeline please; I know that you have got your announcement this week, I know that you have got your community meeting in September. What are the events we are going to be looking at over the next several months?

RUSSO: You are going to get a detailed summary of changes coming out. This week will be the summary of changes. As we get to early September, just prior to our community meetings, we will release not only the detailed summary of the changes, but we will actually release the standard, so that people have a chance to see that standard before they come to our community meetings, and they will have a chance to better prepare and come with some questions that are germane to their specific industry and their specific situations.

And then of course at the community meetings in September and October we will have the ability to discuss these in depth, and then finally the actual appearance of the new standard will be published on October 28th. That is a week or so after the last community meeting in Barcelona. So, if in fact there are any "aha" moments that we get at these community meetings -- which as highly unlikely as it may be, there could be -- we still have the ability to make some adjustments and tweaks to the standard.

And then of course after the announcement on the 28th of October, in line with the new lifecycle we will be making the standard effective on January 11, so that during that holiday period, or year-end lockdown as people are referring to it, they won't have to worry about making any changes to the existing way that they are dealing with the standards.

FIELD: So, as you describe it, there will be the opportunity through the community meetings to get feedback that could lead you to make revisions, but you don't anticipate revisions before October 28th?

RUSSO: That's correct. I mean we have had a ton of feedback throughout the year; we have had open discussions, open mike webinars that we have with all of our constituents, and even the people who are not participating organizations are invited to those as well. I think we have pretty much seen everything that we are going to see in terms of changes that will be made to the standard. But again, just in case there is an "aha" moment, we will have the ability to do that after the community meetings.

FIELD: Bob, just a final question for you and it is a summary question: Fundamentally, how do you see that payment card transactions will be more secure even than they are now because of these new measures?

RUSSO: Well you know, everyone in the payment chain, from merchants to the financial institutions, the software and hardware providers, even the payment branch needs to play a role in secure payment card transactions.

So our goal in updating the standard is to really reflect real-world challenges to the security of these transactions and provide as much clarity as possible, so that people can comply with them and keep this data safe. And while doing that, we are providing education, tools and additional guidance for merchants and others so that it makes it easier for them to adopt the standard.

Around the Network