Q&A: No alternative to PCI, security council chief insists

As the general manager of the Payment Card Industry Security Standards Council,Robert Russohas borne the brunt of criticism about the PCI data security standard. Computerworld spoke with Russo last week as the council prepared to receive formal comments from industry stakeholders about the current version of the standard, which went into effect last fall. Russo stoutly defended the standard and said that despite questions about its effectiveness, there's no alternative when it comes to protecting payment card data.

What do you say to those who have said the PCI rules-making process is not as inclusive as it needs to be? The way it works is after we release a new standard, it stays out there for a approximately eight months and then a new comment period begins. All of our participating organizations, as well as all of the assessment community and approved software vendors and such will have the opportunity to give us formal feedback. We will ask them to tell us what their top five priorities are regarding the standard--what they would like to see addressed, what they'd like to see changed, what they'd like to see added or deleted. We take all of this information and we will digest that and put that in some form that can be distributed once again to the participating communities, saying: 'This is the result of everything we have gotten. And this is what we are proposing, based on what we heard should be in the newest version of the standard,' and then we will have another comment period. That information will be the basis for the new or evolved standard that will be released.

Representatives from seven trade groups sent you a letter earlier this month asking why the PCI standards development process can't be like the one used by the American National Standards Institute. What's your response? We are a global standard, so there are some issues...with just dealing with a standard that comes from one country or the other. As a matter of fact, when they published that letter, there was an article over in the U.K. saying, 'Hey this is a global standard. Why are you telling these guys to do something that is just U.S. centric?' We need to worry about stuff all over the world. That is specifically what we are doing at this point. Certainly, we look at all standards to see how we might be able to align our standards with those things. If there is a better way of doing it than the existing standards, we have no qualms about adopting it.

So what you are saying is that your standard is as inclusive as it can be under the circumstances? That's right. What do you think of questions about the effectiveness of the standard from merchants and even by lawmakers? Certainly, we believe it has been very effective. The standard, as far as we are concerned, is your best defense against a breach. What we have found over the years, and what we have been saying over and over again, is that some of these breaches that you are reading about happened because [the breached entity] turned out to be non-compliant at the time of the breach. I've testified before Congress about some of these things. Basically, what they are saying is, 'If these guys were compliant, why were they breached?' Well the simple fact of the matter is they were compliant at a point in time and when the breach occurred, they were not.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.