In-depth

PCI's Bob Russo: Data loss hurts brand more than a fine

As Christmas shoppers spend away and data breaches keep hitting the headlines, the Payment Card Industry's security council is charged with keeping customer's data safe.

The Payment Card Industry Data Security Standard (PCI DSS) and the global forum formed to administer it, the PCI Security Standards Council (PCI SSC), pre-dated the biggest security breaches that have come to mark a new era of unprecedented cyber criminal activity.

Since card operators Visa, MasterCard, American Express, Discovery and JCB aligned their individual data security policies and created PCI DSS in 2004, the likes of TK Maxx, Cotton Traders and numerous government departments have proven the need for such regulation.

But the PCI DSS has risen up the corporate agenda ever since the threat of fines and losing the ability to process credit cards was introduced with a June 2007 deadline for those found to be non-compliant.

The standard is intended to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. And the PCI council is charged with regulating PCI DSS and communicating its importance to any organisation handling credit card data anywhere in the world.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

IT PRO spoke to PCI SSC general manager, Bob Russo about the challenges faced in raising the data security agenda.

IT PRO: 2007 was big year for PCI DSS, with the passing of the payment card operators' final deadline for compliance. What's been going on this year?

Russo: It's been just as busy. We released version 1.2 of the standard in October. Just prior to its release, we had our North America community meeting, which attracted 625 attendants and actually included quite a few representatives from Europe. There were a couple of days' good debate about the development of the standard, given that we're in a two-year cycle.

Next year will be a feedback year on how the implementation of version 1.2 has gone. And we also talked about our new QA [quality assessor] programme and got a lot of feedback on that, having kicked it off in October to maintain the quality of PCI assessments as well.

Then we had our first European meeting in Brussels with well over 200 people attending. I would say there is a lot more uptake in Europe on the standard. In fact, they are running, not walking, to comply. Reaction to the new version was good. It doesn't really contain any surprises, but instead includes a lot of clarifications, so organisations looking to stay up to date don't have to go back to square one to remain compliant.

It's interesting that you observe organisations are running' to be compliant. How do you propose they keep up if, as you say, the standard is on a two-year development cycle?

Advertisement - Article continues below

My guess is that the next release in 2010 will be a 2.0. But there are a couple of things we're doing to make sure it develops in line with the capabilities of our stakeholders. Starting in January, we're launching research into how the standard's specification should embody emerging technologies, like end-to-end encryption, virtualisation and secure payment tokens, that might come outside of its scope, making it easier to comply.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020