PCI Security Standards Council: Tell us how we're doing

The PCI Security Standards Council, which establishes technical standards for the payment-card industry, Tuesday invited broad feedback from both its membership and the public in order to understand the best course to take for creating a new security standard next year.

"We want feedback," says Bob Russo, the council's general manager, asking for all criticisms, comments and suggestions related to the existing Data Security Standard 1.2 or any other council endeavors, to help chart a course for future direction. The cycle for determining a new PCI standard for next year is underway, he says. It's important the council get a wide array of opinion in written form in the next three months, which can be summarized and presented at the two community meetings to be held in September and October, in Las Vegas and Prague respectively.

"Where does this need to be made better? We want to know the top five priorities," Russo says about the council's standards, guidance documents and processes. The DSS 1.2 standard is influential because banks, as well as Visa, MasterCard and others, require PCI compliance in order for any business to be allowed to process payment cards.

Russo says those that formally participate in council activities are expected to submit their comments online at the council's Web site. But Russo also invites public comments from those not officially involved with the council but wishing to have input to be sent to him directly at brusso@pcisecuritystandards.org.

At the community meetings in the fall, the council expects to share a report the council has commissioned from consultancy PricewaterhouseCoopers to examine the impact that a variety of technologies could have on the existing PCI standards. The technologies getting a look include tokenization (creating a substitute for the real payment data), chip-to-pin technology and end-to-end encryption.