What's the PCI Council's Role?As the Standard and Scope Grow, Needs Change
The point I want to make is that this week's PCI Community Meeting is much different than the humble reception I attended some four years ago. This council and its event have grown exponentially, and the vision appears much more focused than it did back during those early days.
PCI, four years ago, was something you would only hear about in pockets of banking conferences. Mention the PCI Data Security Standard to a group of bankers and merchants, and the majority had no idea what you were talking about. I found myself perplexed by the standard, too. How did it apply to ATMs and general financial transactions, and who was enforcing it? Today, the standard is known throughout the world, is being audited by some 800 PCI-certified qualified security assessors, and its council is hosting events that are attracting more than 1,000 attendees from three continents.
PCI - the council and its standards - face some challenges, some of which have resulted from the organization's explosive growth.
But PCI - the council and its standards - face some challenges, some of which have resulted from the organization's explosive growth. I had this revelation yesterday, during a three-hour Q&A session. An event this size is too large. It's great to have a healthy mix of payments industry representatives; but when we mix card issuers with payments processors, convenience-store operators with banks, airline executives with restaurateurs, no one gets any clarity. Their needs differ too greatly.
My suggestion: The council needs to break these community meetings down, not just by global region - a European community meeting is set to take place next month - but by country region; and the meetings need to be focused toward and for specific groups, such as the processors and c-store operators.
I heard similar concerns voiced by some of the attendees, who say they think there's too much bureaucracy, the PCI rules have become too defined and have stunted innovation, and that not all QSAs understand and audit PCI compliance in the same way. All that growth also has slowed decision-making. Guidance on emerging technology, such as the EMV chip and PIN standard, already commonly deployed throughout Europe, and tokenization solutions, which many companies like First Data Corp. are already selling to merchants, should have been issued years ago. And the council is only beginning to look at some of those emerging technologies.
The role of the council also is a bit puzzling. The council only offers guidance; it does not enforce or interpret technology. I got a bit of a brush-off yesterday when I asked two PCI executives about EMV (chip & PIN) and how it is not really "standardized" - meaning it is deployed and interpreted differently in different global markets. (UPDATE:Clarity on PCI and Chip & PIN) I understand EMVCo., the body that created the chip & PIN standard, is the body that should evaluate and interpret EMV. But for the council to simply say it has no response when it comes to the interpretation of that kind of technology bothers me a bit. I find the lack of interpretation somewhat disconcerting. How can a body pass down guidance on technology if it does not have a standard interpretation? How can it train QSAs with no standard interpretation? Perhaps that explains why not all QSAs view PCI compliance in the same way.
All of that said, the council is taking action to address some of those concerns, so I can't be too critical. And in an interesting way, I think the council is passively admitting that it can only do so much. A new PCI Internal Security Assessor Program has been launched by the council to help companies internally wrap their brands around PCI. To date, more than 180 ISAs have been trained, and the PCI Council has more training sessions set for February. A company can select any of its employees to be an ISA, but the council was quick to recommend that companies choose their ISAs wisely. "It could be an auditor or an IT specialist, but you want someone who understands the technology well enough to take the course," said Troy Leach, the council's chief standards architect.
At the end of the day, any entity touching the payments space has to take responsibility for its own security. As Jeremy King, who heads up PCI in Europe, rightly said during his opening speech: "You should not approach PCI as just being PCI compliant. ... Focus on good security and compliance will follow."
I like that.