Meet the PCI Security Standards Council

Today is launch day for a new consortium I've been helping structure for the last several months — the PCI Security Standards Council, LLC.   You should be happy to hear about this new organization, because its purpose is to tighten the security procedures that protect your financial data against theft and fraud, not only globally but on an end-to-end basis, from point of sale to debiting of your account. 

The new organization was formed by the largest credit card brands in the world:  MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and JCB (a Japanese brand).  At the heart of the organization is the Payment Card Industry (PCI) Data Security Standard, originally created prior to formation of PCI by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program.  Version 1.0 of the standard was contributed to the consortium for further evolution, maintenance and application.  Version 1.1 is already completed, and becomes effective today.

The PCI DSS establishes a set of principles for maintenance of security, accompanied by requirements for demonstrating that those principles have been effective met and maintained.   The standard addresses the establishment, maintenance, and monitoring of security measures for each type of participant in the transaction process, including merchants, processors, point-of-sale (POS) vendors and financial institutions, and includes requirements for security management, policies, procedures, network architecture, software design, among other requirements.  By agreeing on a common standard, all participants in the credit extension and clearance process will have a single rulebook to operate under, providing greater efficiency and lower compliance costs for those being assessed, and greater certainty for those relying on their security practices.

Like many standard setting organizations, PCI creates standards, but also administers a means by which compliance can be tested.  But unlike most consortia, which may license one or a small number of independent service providers to perform compliance testing, PCI will certify a global network of service providers that can test the thousands of players in the global credit network for compliance with the standard.   Those providers fall into two categories: “Qualified Security Assessors” (QSAs) and “Approved Scanning Assessors” (ASVs).

These service providers will use the standard to evaluate participants in the financial data chain, and pass or fail them on compliance.  Payment card industry brands and other participants may then use this information to determine with whom they will and will not share financial data, and those that are evaluated can also identify areas of weakness in their systems and procedures and plug any gaps that exist.  The result will be tighter security, fewer data breaches, and less victimization of credit card holders.

Entities that are part of the financial data chain (merchants, payment devices and services vendors, processors, financial institution and others) can join PCI as “Participating Organizations” and comment on new versions of the PCI DSS, elect representatives to an Advisory Board, and propose new initiatives.

I’ve worked with over 70 organizations and open source projects now that develop, promote or advocate for open standards, and have helped create the majority of them.  It’s always a pleasure to see a new one leave the nest and get down to business.  If you’re curious, you can see the full list here.