PCI Council Pegs Success On Community Involvement

It has been an uphill, five-year process for the PCI Security Standards Council, but through the participation of community members throughout the payment industry, this independent arbiter of the Payment Card Industry Data Security Standard (PCI DSS) has managed to drag the industry kicking and screaming to a higher level of awareness and a better state of security. Now, as the council passes its five-year anniversary, its challenge is to remain relevant and continue to keep up with the dynamic nature of both the threat landscape and the payment industry's latest technology.

Back in the fall of 2006, the foothold of relevancy that the council earned was far from guaranteed. Seana Pitt remembers being on pins and needles back then. An executive on loan from American Express, Pitt had been recently installed as the first chairperson of the newly formed PCI Security Standards Council.

Her goal was to not only help the five major card brands administer the enforcement of the PCI Data Security Standard, but to also develop a forum of those affected by the new standard within the payment ecosystem to help manage the evolution of the standard itself. But a community takes people, and she wasn't sure at the time how many willing participants would answer the council's call for help.

"In some ways it feels like a lifetime ago, and in some ways a moment ago, that I was sitting around waiting for the phones to ring," Pitt says.

It mighthave come in fits and starts at first, but the phones did start ringing and have kept it up during the years to the point that when the PCI Council held its fourth annual community meetings in North America and Europe during the past month, it managed to draw in more than 1,600 stakeholders. That's a huge increase over the 323 who came during the first gatherings in 2007. What's more, the tenor of conversations that these community members are having have changed dramatically.

"If I harken back to 2006 when we were out talking to the marketplace, there was such anger around, 'Why do I have to do this? Why do you want us to put in security protocols? Don't we have it together already?'" Pitt says. "That has changed to a tone that now says, 'Is the council delivering enough innovation to keep pace with emerging security threats, emerging and payment vehicles?' and, 'How can we do more faster?' and, 'How can we do more to be more collaborative?' So it really went from an 'us-against-them' to a 'we' strategy."

John Graham, vice president of governance risk and compliance for First Data Corp. and a member of the PCI Council's Board of Advisers, was skeptical of the council and of the standard five years ago. At that time, he was working as a security practitioner, not within the payment industry. He had misgivings.

"Now that I'm in the payments industry, it has become evident that this has been an awareness engine that has been very effective at improving security," he says.

The awareness hasn't just materialized on its own. Pitt laid the groundwork early on with road shows and outreach efforts. Then she turned the mantel over to Bob Russo, who, as general manager of the council since 2007, has run a years-long public relations and education blitz for the standard. A hands-on and approachable leader who is quick with a story or a joke, Russo has been integral to establishing an open-door culture at the council. He and advisory board members field phone calls and emails personally when stakeholders of every stature have questions or concerns, and his "Ask Bob" sessions at the community meetings are the biggest draw at the events.

But through it all, he has been modestly adamant that he's just a facilitator. It's the council community that has done the hard work of molding the PCI DSS into what it is today, he says.

In the five years since it was formed, the council has come out with important updates to the standard and additional guidance documents to provide clarification on important security issues like point-to-point encryption and pin transaction security. The number of qualified security assessors (QSAs) and approved scanning vendors (ASVs) has shot up dramatically. And the council has started some important special interest groups to support further clarification work in emerging threats and technology. Though it is hard to place a singular metric on PCI success, there are a number of indicators that the standard has helped the industry improve its security posture.

In that time, however, it has also seen its fair share of criticism. There are those within the security community who complain that PCI encourages "checkbox compliance" without encouraging true security improvements. To that, QSA Chris Novak of Verizon Business says a little perspective is in order.

"I would challenge anyone that would say that isn't a good idea to institute any of the 12 requirements of PCI. There's nothing there that anybody thinks is radically new and different than what most people in security know they should be doing," Novak says. But for some reason or another when you talk to people about it as a compliance requirement, they say, 'No. No. No.' I think a lot of people miss the security fundamentals of this."

Some critics have complained, though, that the standard doesn't go far enough and that some of the big breaches that have occurred during the past few years at some retailers happened when they were supposedly complaint. But according to Anton Chuvakin, analyst with Gartner, those claims of compliant organizations being breached are just not accurate.

"I don't think any of them were compliant at the time of the breaches. All those stories you hear tend to come from third-hand knowledge -- you know, 'I heard from someone who heard that...' " he says. "Usually they either weren't really compliant in the first place, or they fell out of compliance after certification but before the breach."

Take, for instance, the types of breaches that are occurring today, says Eduardo Perez, head of global payment system security for Visa.

"It is interesting, as I was looking through a list of major breaches this year, none of them materially involved card data, and I think that's telling," he says. "Breaches are still occurring and, unfortunately, companies are still getting hacked and losing other consumer information. But the hackers aren't getting to the card side of it, and it's mitigating some of the impact there."

Another key piece of evidence that PCI is working is the number of other industries that are looking to the council for advice on how to create something similar in their own spheres.

"I'm in D.C. twice a month, not lobbying for anything, but just talking because they all want to know how we got people to voluntarily do these things. I've got to tell you very honestly that three-and-a-half years ago when we testified before Congress, it was 180 percent the other way. They were saying, 'You guys are the bad guys -- it's not working," Russo says. "Well, how the worm turns. One of my biggest victories was getting a call from the lawyer who was all over me like white on rice at the hearing. He called to let me know he wasn't working for Homeland Security anymore, that he's working for finance, and they have to put together a plan for protecting data and want to use PCI as the model. This was the same guy who had raked me over the coals! Amazing, just amazing."

Of course, in order to continue to meet the technology and threat climate, the council can't afford to rest on its laurels. With the advent of mobile payments, the use of smartphones as credit card surrogates, and the parade of new hacking techniques that continue to barrage merchants and payment processors daily, the standard must constantly evolve.

"What we're dealing with now is evaluating what's next," Graham says. "At the community meeting, we had discussions on the mobile space. ... We have to remain relevant, and we have to become more proactive in addressing things, especially in emerging technologies, even though we don't want to set a standard for them because we don't want to minimize the evolution of that emerging space."

As Russo puts it, as long as there are static credit card numbers -- and, according to the card brands, that's going to be for a long time -- there will always be the need for the PCI Council.

"It's not going away, no matter what we do or how we do it," he says. "There's always going to be the need for security. If you want to be in business, you have to include some plan for securing that cardholder data. This is what we're trying to drive home."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.