Five major credit card companies Thursday announced the formation of an independent body to oversee the development and maintenance of the Payment Card Industry (PCI) data security standard. American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International have thrown their weight behind the newly formed PCI Security Standards Council.
Aimed at retailers and companies that process credit-card data, the PCI standard is a set of technology requirements for securing networks and applications, protecting cardholder data, maintaining a vulnerability management program, and regularly validating compliance via a third-party assessment. It was designed to consolidate what in the past have been a bunch of different security guidelines from credit card companies.
But merchants have complained about ambiguities in the PCI standard and compliance hardships since the rules went into effect in June 2005. As of this spring, only 22% of the largest merchants were PCI-compliant, according to Visa estimates.
With the formation of the PCI Security Standards Council, its founding members hope to develop a system that is more accessible and efficient for merchants, processors, point-of-sale vendors and financial institutions. The council's charter tasks include:
* Developing and maintaining a technical data security standard for the protection of account information;
* Reducing costs and lead times for compliance by establishing common technical standards and audit procedures;
* Providing a list of available, qualified security solution providers to help the industry achieve compliance;
* Providing a single source for certifying qualified security assessors and approved scanning vendors; and
* Providing a forum in which stakeholders can provide input into the ongoing development, enhancement and dissemination of
data security standards.
As its first action, the council released the PCI Data Security Standard version 1.1. The new version addresses evolving security threats and provides a framework for ongoing PCI compliance.
The formation of the council and release of the new standard are welcome advances, industry watchers say. In the past, a lack of clarity has left companies struggling to comply with PCI, says Jennifer Mack, director of product management at security vendor Cybertrust.
"There has been much confusion over the last year among merchants at all levels as to exactly what security measures and controls are needed to meet the standard - especially around the best ways to encrypt sensitive data," Mack says. "The updated standard is a strong step forward, and provides much clearer guidance around what is required to achieve PCI compliance.”
The PCI Security Standards Council intends to serve as an advisory group and manage the PCI security standards. Each credit card brand will remain responsible for its own compliance programs, according to the council.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment