ata security in the payments space has gone from behind the scenes to center stage since the formation of the Payment Card Industry (PCI) Security Standards Council.

The council - comprised of representatives from American Express Co., Discover Financial Services LLC, MasterCard Worldwide, Visa International and Japan Credit Bureau - plans to enhance account security by fostering global adoption of the PCI Data Security Standard (DSS).

The PCI DSS is a set of 12 data-security regulations that is designed to safeguard debit- and credit-card payment transactions through the use of firewalls, encrypted transmissions of cardholder data and anti-virus software, to name a few.

It took effect June 30, 2005, after a year of security breaches. The most notable breach was the well-publicized CardSystems Solutions Inc. leak suspected of leading to the compromise of some 40 million card numbers.

Seana Pitt, the PCI council's Chairwoman, said each of the five card brands has recognized the importance of protecting cardholder data. But communication between the five was nonexistent before the council.

"All of the big five had their own procedures in the marketplace and were driving them individually," she said. Pitt said the concept behind the PCI standard is to have consistency so merchants, payment processors, financial institutions, POS vendors and payment companies can get organized and more efficient.

Industry obstacles

With the Sept. 7, 2006, launch of the PCI council, the industry is making an effort to organize; but internationally, the payment industry has been slow to move toward adoption. Pitt said the council's ability to reach the global market will depend on its ability to receive feedback and implement changes. And getting the right feedback means getting the right organizations to join the council, she said.Recruiting efforts in the United States have been successful, but more needs to be done across the globe. "If we take and drive adoption and awareness, then we get the ability to ensure we're addressing concerns in the marketplace," Pitt said.

But some observers argue that the council won't have that much power - each of the credit companies on the council has its own set of compliance deadlines, as well as its own set of consequences if those deadlines aren't met.

"There's been no indication they're attempting to have a uniform strategy for compliance," said Brian Riley, a Senior Analyst at Boston-based consultancy TowerGroup.

Riley said the idea behind the PCI standard is good; but unless the council steps forward with a unified penalty plan, regulators will step in.

"It begs for an intermediary from the outside to come in and say 'Here's what you need to do,'" he said. "Regulations always bring in overhead, but sometimes they're pretty prudent."

Communication between shareholders and the council also is a concern. Avivah Litan, a Senior Analyst for Stamford, Conn.-based Gartner Inc., said retailers have complained about a communications black hole.

"When retailers are trying to comply, they have contact with their bank. It would be a lot easier if you had one enforcement body," she said. "The real action has not been centralized, such as enforcements and compliance. It solved the problems, but not the highest-priority problem."

But Pitt maintains that the council is not out to set penalties. Instead the group is designed to help stakeholders discuss the issues, as well as promote global data-security standards.

"If you look at the five payment brands, there are probably not many merchants in the world that do not accept those payment brands," she said. "It sends a powerful message by the brands coming together - that we really want to ensure ease and efficiency in applying the standards."

The road ahead

Many in the industry, like Jim Cowing, say they're going to sit back and see how the council's priorities unfold. "It's hard to say what's going to happen," said Cowing, Managing Director of California-based Digital Resources Group, a company that validates merchant-data security measures and scans merchant and service provider networks.

"I think that the merchants and service providers that we deal with do appreciate that there is a single standard," Cowing said. "[But] I don't know that there are all that many people who understand the council."

The data security standards are meant to evolve over time, as is the council, Pitt said.

"I think there is a lot of opportunity for us ahead, and a lot of challenges for us to address," she said. "If you look at any security standard, the need to evolve will always be there. With brands continuing to have a policing aspect, I think it will work very well."

The council also has taken over the coordination and certification of qualified security assessors and approved scanning vendors. That coordination and certification had previously been handled by Visa and MasterCard.

"We're not the silver bullet right now," Pitt said. "I think we have taken a great leap forward in solving the challenges in the marketplace, and will have the capability to address those challenges."

Link to article: www.atmmarketplace.com/article.php?id=8195