Compliance Management

Gartner analyst chides PCI Security Standards Council

The Payment Card Industry Security Standards Council (PCI SSC) has taken two steps forward and one back by the creation of a new Board of Advisors, according to Gartner analyst Avivah Litan.

In the research note, entitled "New PCI Security Standards Council Needs More Power," Litan called the election of the PCI SSC advisory board a "positive development that will help to improve communications between PCI stakeholders and the PCI SSC's Executive and Management committees."

Still, "The advisors need voting power and expanded authority to resolve problems," she said.

"Good communications are great, but the jury is still out as to whether the communications will result in meaningful changes to the PCI standard and enforcement process," Litan told "I think everyone's intentions are good but the power structure and closed-door decision-making process inherent to the credit card industry means that, in the end, the card companies' allegiances are to their own bottom lines."

A PCI SSC representative could not immediately be reached for comment.

Litan urged enterprises to join the PCI SSC's "Participating Organizations" to take an active role in help shaping the PCI SSC's future.

The PCI SSC, an independent industry organization that manages the PCI Data Security Standard, announced the results of partial elections for its Board of Advisors in May, electing 14 organizations but reserving seven for later appointment. Three banks, four payment processors, three retailers and four other enterprises were elected.

"Gartner is troubled by the Executive Committee's decision to reserve seven advisory seats to be appointed at its discretion, because the PCI SSC 'Participating Organizations' should also be able to ensure international representation," Litan wrote in her research note.

She said she is "encouraged," however, that major retailers, including Wal-Mart, which has been at the forefront of retailers' struggles to lower card industry processing fees, are already represented on the council.

"Gartner is also concerned that many of the most difficult PCI issues remain outside the authority of the PCI SSC, because enforcement remains the responsibility of the individual card brands," Litan wrote. These issues include inconsistent merchant classifications, enforcement deadlines and compliance requirements across participating card brands as well as inconsistent international requirements, even within a card brands.

By joining PCI SSC's Participating Organizations, enterprises can impact future credit card policies by presenting their views on compliance issues to the Board of Advisors while also influencing the Executive Committee to take on issues that are currently outside the PCI SSC's authority, Litan noted.

They can also lobby the PCI SSC "to adopt a security standard for payment software. The PCI SSC plans to adopt the Visa Payment Application Best Practices (PABP) standard and is preparing to issue standards for point-of-sale personal identification number (PIN) pads, but this work needs to be expedited."

Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.