PCI achievements of 2009

PCI AchievementsWhen I took over as chair of the PCI Security Standards Council in January, I knew it was going to be a busy year.  I've witnessed the payment community come together in unprecedented ways

by putting aside individual opinions and staying focused on how we can continue to evolve and develop the PCI Data Security Standard (PCI DSS) to best protect cardholder data on a global level. And while there is much to look forward to for the council in 2010, I want to look at the significant strides made over these past 12 months to protect both companies and consumers from costly data theft associated with card breaches. It has been all about listening to the global payment community this year through our feedback cycle and education programs, and we hope that the industry has noticed. On a global level, the council continues to extend beyond simply defining the standards. We provide resources to address specific security challenges and mobilize the payment community through training sessions, open discussion forums and both formal and informal feedback sessions.

A key global success was the launch of the PCI DSS standards training program, which helps merchants and service providers improve their preparation for on-site assessments, to better understand what is involved in creating their own internal assessment capabilities and to establish an internal compliance program to help sustain PCI DSS security practices and compliance long after the assessment process is completed. Since the spring, programs have been held in seven sites around the world: Atlanta, Boston, Chicago, London, Las Vegas, Prague, Sydney and Toronto. Training sessions will continue throughout 2010 so that merchants and service providers of all sizes on their path to PCI DSS compliance worldwide are empowered with the same knowledge as the assessment community.

I can't talk about global coordination, or even collaboration, without mentioning the community meetings. The payment community came together for the North American Community Meeting in September and the European Community Meeting in October. Each year, these meetings enable the council to solicit valuable feedback from the participating organizations, QSA/ASV and PED lab stakeholders. More than 700 delegates from retail, financial services, government and more attended to contribute feedback on the PCI standards in person and to hold lively discussion around areas like reducing the scope for PCI DSS, logging best practices and increased awareness of PCI standards and resources across the world.

The community meetings were particularly important this year since we are in a feedback period for the PCI DSS and PA-DSS lifecycle process. Prior to and during the community meetings, insights were gathered from merchants, service providers, financial institutions, vendors, QSAs and ASVs and third-party experts. This information was discussed by participating members and will continue to be discussed throughout the beginning of 2010 by the council and reviewed by the board of advisers to determine what revisions may be needed to the PCI DSS, PA-DSS and the supporting documentation. Once any necessary revisions are adopted into the standards, they will officially be announced at the 2010 community meetings. A big milestone behind us and another one to look forward to next year!

A favorite saying of mine goes: “If you think education is expensive, try ignorance.” This couldn't be more truthful for the payment community. By educating merchants on achievable and solid security programs, we hope to protect them against the cost of a data breach that can alienate a merchant's customer base and even put them out of business. From SMBs to large organizations, education has been a primary focus for us this year.

The council has put out tools like the Prioritized Approach framework to help merchants understand the scope of the PCI DSS to help reduce risk, and guidelines such as the “Skimming Prevention: Best Practices for Merchants” informational supplement with recommendations to protect point-of-sale terminals.

We've also listened to what the community has identified as elements of the PCI DSS that are challenging or open to interpretation. As a result of these suggestions, the community has come together to form the council's special interest groups. Currently, there are four of these independent groups led by the board of advisers, including wireless, scoping, virtualization and preauthorization, with the wireless group being the first to release its findings on best practices for protecting card data in a WLAN environment. The aim of these special interest groups is not to introduce new standards or requirements but rather to provide the payment community with highly specific, actionable advice for meeting the specifications of the PCI DSS, while at the same time offering information in easy-to-use graphics and flow charts aimed at increasing merchants' understanding.  

While the council has made tremendous progress during 2009, now is not the time to rest on our laurels. As we move forward into the new year, analyzing feedback and moving toward the next version of PCI standards, it's now more important than ever that we stay ahead of industry developments. We'll continue to offer training programs globally to assist in the assessment preparation, further explore emerging technologies such as tokenization and end-to-end encryption and support the release of additional industry resources to better serve the payment community. This year's achievements aside, we'll also remain focused on our goal of providing you, the payment and security community, with the most up-to-date tools and resources to develop your security programs.  

And, in the spirit of the council's open and collaborative nature, I welcome your feedback on what you'd like to see from us in 2010.  Please contact me at This email address is being protected from spambots. You need JavaScript enabled to view it.