Involving Merchants

NACS, other retail groups ask PCI Council to lead collaborative effort

ALEXANDRIA, Va. -- The Payment Card Industry (PCI) Security Standards Council must take the lead in developing a collaborative approach with merchants in defining more open standards for future PCI Data Security Standard (DSS) requirements, the National Association of Convenience Stores (NACS) and several other trade associations stressed in a June 8 letter to the council.

"Today, most of the risk and financial burden for operating in compliance with PCI DSS is borne by the merchants, our members. Yet, the credit-card companies and banks realize significant revenue from [image-nocss] the credit-card transactions from our members' businesses.... We propose that the PCI Security Standards Council take the lead in implementing a process whereby all constituents can actively participate in the process of defining more open standards for future PCI DSS requirements," the groups wrote.

To date, merchants have spent more than $1 billion on PCI DSS compliance as part of their security programs; however, NACS and the other trade groups said that it has become increasingly difficult to comply with the program's requirements in a cost-effective and timely manner, and they outlined five requests to mitigate the challenges they face:
Incorporate a formal review and comment phase on revisions to the PCI DSS by participating membership before they are issued. "This will result in more informed revisions and will increase merchants' understanding of and ability to effectively implement the revised standards. We suggest that the PCI SSC adopt a similar process for writing standards in an open environment as is used by Accredited Standards Committee X9," the letter noted.
Ensure the amount of time from issuance of a revision to the PCI DSS and the effective date is appropriate for all merchants. This would include Level-1 merchants making enterprise-wide changes, based on the revisions that are being implemented, as well as small operators without the resources to readily comply. "This will allow merchants to most effectively assess and implement the necessary actions needed to meet the requirements of the revision. Along with this, we request that the sunset date of version 1.1 of the PCI DSS be extended to December 31, 2009."
Follow, and adopt, the ASC X9 announcement of its plan to develop a new standard to protect cardholder data that may include end-to-end data encryption. "By leveraging end-to-end encryption of credit card transactions, the industry could implement broad and consistent protections for consumers, businesses and the global electronic payment system by rendering card information useless to thieves."
Use the concepts of key controls and controls rationalization to restructure the more than 200 detailed requirements of the PCI DSS. "This would reduce the reporting and maintenance burden on companies by ensuring they place a focus on the key controls that reduce overall risk for their particular business model."
Require credit-card companies and their banks give merchants the option of saving only authorization codes and a truncated receipt, rather than requiring them to store all credit card information for dispute resolution, which the groups said is "putting customers at unnecessary risk." "Our members take data security seriously," said NACS president and CEO Hank Armour. "We need to have the PCI Security Standards Council play a much more active role in involving merchants in the process."

In addition to NACS, other groups signing the letter were the National Retail Federation, National Restaurant Association, American Hotel and Lodging Association, National Council of Chain Restaurants, Merchant Advisory Group and the International Franchise Association.

The PCI Security Standards Council, Wakefield, Mass., is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. It maintains, evolves and promotes the PCI security standards. It also provides tools needed for implementation of the standards such as assessment and scanning guidelines, a self-assessment questionnaire, training and education and product certification programs. Funding members include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.; they have agreed to incorporate the PCI Data Security Standard as part of the technical requirement for each of their data security compliance programs.

Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI SSC to assess compliance with the PCI DSS.

The PCI SSC's founding member card brands share equally in the council's governance and operations. Other industry stakeholders participate in reviewing proposed additions or modifications to the standards, including merchants, payment card issuing banks, processors, hardware and software developers and other vendors.