he payments industry took a big leap forward this month with the creation of a formal standards council. The group's first act was to release a revision of the Payment Card Industry (PCI) Data Security Standard (DSS).

American Express Co., Discover Financial Services LLC, JCB International Co. Ltd., MasterCard Worldwide and Visa International formed the PCI Security Standards Council LLC, an independent body whose goal is to manage the ongoing evolution of PCI.

"The good news to anyone selling merchant acceptance is there's a single standard now, and it applies to all five major brands," said Rob Tourt, Vice President of Network Services for Discover. With a council, responsibility for a PCI response to emerging threats becomes clearer, he added.

Here to stay and gaining weight

"I'm happy they [the card companies] are moving to a standards body and that they're going to have other interested parties in the industry contribute to the next standard," said David Mertz, Director of Compliance Services for GreenSoft Solutions Inc. GSI is a hosted-data service provider audited and certified for PCI compliance.

"There has been some speculation from people that [PCI] was becoming Visa's deal," Mertz said. "Establishing a standards body gives it more weight within the industry, as merchants and service providers start to view it as something that's here to stay."

One of the council's first objectives is to create a participating organization of stakeholders in the payment processing chain - including merchants, ISOs, agents and vendors - who will provide a "feedback loop" on implementing Version 1.1 of the PCI standard, said Seana Pitt, newly named Chairperson of the council.

Stakeholder feedback will be used to adapt changes for the next revision to make it easier to implement. The council intends to solicit more feedback from the marketplace, ISOs and other financial institutions, she said. Pitt is Vice President of Merchant Policy and Data Quality for American Express.

"From the pool of stakeholders, we'll get an advisory committee to liaise" with the executive council, which consists of one member from each of the five card brands, Pitt said. The council was created to drive adoption and awareness of the PCI standard.

The council intends to elect the advisory committee by the end of 2006. Two-thirds of the advisory group will come from participating stakeholders, and one-third will be appointed by the council, in order to achieve global (regional) and stakeholder (functional) diversity.

These "sage advisers" will report to the executive council and will drive the next revision, which could be released in about a year. DSS revisions, which will come out not more than once a year, will likely include upgrades to authorization formats.

Another task the council has undertaken is an executive search for a general manager, who will be responsible for raising standards awareness and recruiting feedback contributors.

One step forward

While industry observers viewed the creation of a formal PCI council as a positive step, some suggested it needs to go further. Brian Riley, Senior Analyst, Bank Cards, for researching and consulting firm TowerGroup, said the power to enforce the PCI standard should have been part of the council's charter.

"The idea itself was very good to have a unified council, but there was no resolution on what the penalty should be for nonconformance," he said. Whereas legislation known as Sarbanes Oxley raises the specter of prison time for corporate malfeasance, the PCI standard lacks teeth.

Legislation has been proposed in Congress to enforce protection of customer data; unless the industry engages in self-policing, it leaves open the door for Congress to determine the consequences of negligence, Riley said.

Enforcement should rightly be up to the individual card brands, according to Michael Petitti, Senior Vice President of AmbironTrustWave. He views the formation of the council as a strong step forward. Its rules revision clarifies specifics, leaving less up to individual interpretation. For example, Version 1.1 begins to spell out the way ISOs should approach PCI with the majority of their clients: level 4 merchants.

New to the rules is an explanation of PCI requirements for hosted environments, such as those provided by ISOs. "Basically, this is a shift in that hosting providers are going to [be required to] attest to the environment they provide," Petitti said.

Until now, most PCI rules addressed merchants at levels 1, 2 and 3. "For years, we've looked at the ISO world and said, When is it going to hit?" Petitti said. "ISOs [have] all level 4 merchants.

"From the merchant level salesperson on the street to the larger organizations, they have to take PCI seriously. For ISOs, you have a large portfolio of merchants, and it is incumbent upon you to make sure your merchants are compliant," Petitti said.

The defining of standards for level 4 merchants in a shared, hosted environment is the most intriguing new element of the rules, Mertz said. "It starts to create a standard for hosting providers, but it doesn't ... differentiate enough between when the merchant is managing that environment and when the host is managing that environment."

The revised spec does not clearly delineate responsibilities between the hosting provider and the merchant on issues such as management of software patches. More clarification will be needed in the future, Mertz said.

Petitti said a service provider may host data from multiple merchants on a single server, possibly enabling any of those merchants to access all the data on the server. New to the PCI standard, host services must now segregate and protect each merchant's data on a shared server.

Version 1.1 also fails to address another of Mertz's previous concerns: companies approved to provide PCI-compliance assessments also are empowered to do the remediation work for the same client. "That creates a conflict of interest, and there needs to be a segregation of remediators from assessors," he said.

In other respects, Mertz finds the new specification enhances wireless security protections. It also moves away from the narrow role of enumerating encryption standards to a broader industry-based approach that is flexible, allowing the council to respond to changes in technology and react to new methods used by hackers.

In wireless security, the revision no longer allows plain vanilla WEP (wired equivalent privacy) encryption, unless accompanied by several measures designed to counter its weaknesses. Now, the council is pushing businesses toward the WPA (Wi-Fi protected access protocol) encryption standard, plus SSL (secure sockets layer) or TLS (transport layer security) protocols. "WEP users should upgrade wireless routers to a WPA-capable router," to achieve true PCI compliance, Mertz advised.

Looking to the future

Using feedback from stakeholders in evolving the standard will mean a huge improvement in future enhancements to PCI, Mertz said.

On Riley's wish list is a method for the organization to share PCI failures with the industry, to allow for analysis and broadcasting of the means used to breach systems and the development of new rules to prevent the same incursions from happening elsewhere.

For now, uniting the PCI standard under a single council simplifies interpretation. "I have a single place to go to get clarifications. Having that body is another positive development and shows the industry is taking [PCI] seriously," Petitti said.

PCI Version 1.1 is available at: www.pcisecuritystandards.org/tech/index.htm