The Agency Insider with Linda McGlasson

Impressions from the PCI Community Meeting

Impressions from the PCI Community Meeting

Around one networking table, a consultant from the United Kingdom explained how she is building PCI compliance requirements for a major retailer into its existing ISO 27001 program. This is a trend companies for which companies increasingly are opting - to build PCI's 12 requirements into their existing security compliance programs. "Companies are beginning to look at PCI more strategically, applying the same protection measures that they use on card data on the rest of the sensitive personal data they hold," says Gary Palgon, a PCI security pro who attended the session.

One first-time attendee offered his impressions from the meeting: "From talking to others, I think most felt that this was a very different meeting when compared to past meetings, in that there was less chaos," says Matt Davis, Audit and Compliance principal practice lead at SecureState, a Cleveland, OH-based risk management assessment firm.

Companies are beginning to look at PCI more strategically, applying the same protection measures that they use on card data on the rest of the sensitive personal data they hold. 

To some extent Davis says he sees this more orderly meeting as a "side effect" of 2009 being a feedback year - 2010 is the year for the next expected update. "But I think this is primarily a testament to the amount of information and clarification over the past year, including revisions of forms and the standard, information supplements, and the increase of online FAQs," he says. "But if there was a common theme this year, it's that there needs to be even more of this."

The community meeting offered ample opportunity for discussion of PCI guidance, consensus, clarity, best practices and examples. But Davis says he continues to hear cries about the need for better definition of terms. "It is somewhat amazing that there can still be debate even over core concepts such as what card holder data is and what authorization is," he notes. It's this situation that continues to drive confusion and debate about PCI from the top level with the card brands all the way down to the service providers and merchants.

One thing is for sure: There needs to be more discussion, more information sharing. I think the PCI-SSC gets this, based on the amount of information they've shared even before the meeting.

Let's see what comes next out of the European PCI-SSC community meeting in October, and then how quickly the raw data from the PriceWaterhouseCoopers emerging technologies survey is synthesized and actions taken.

2010 can be a huge evolutionary year for the PCI standard. And it all starts here.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.