The leading man for the payment card industry's data security standard claims that most companies affected by the mandate have begun to embrace the regulation, rather than debate or deny its merits.
In the last year, perceptions of the PCI DSS security requirements -- authored by the world's largest credit card issuers and aimed at forcing companies that handle account data to sufficiently protect their sensitive information and IT systems -- have shifted dramatically, with most organizations making a genuine effort to understand and comply with the rules, said Bob Russo, general manager of the PCI Security Standards Council.
Differing factions still voice concerns over specific elements of the PCI regulation, largely around areas of the mandate that they feel are too prescriptive or vague, but the process of moving the standard forward has gained considerable momentum both in the United States, and around the globe, the PCI Council chief maintains.
"You'll always have people who resist when they are told that they have to do something, but most seem to agree that there is nothing alien in the three standards that we've issued thus far," Russo said. "I think that's because we've been able to establish that PCI is a strong security standard and this is work that people need to do anyways. Most of the remaining discord is related to the fact that people don't want to rip out and replace legacy systems."
In fact, close to 100 percent of all the merchants, card processors, and related businesses that qualify as "tier 1" PCI DSS targets have already become compliant with the standard, and many smaller organizations are well on their way, he said.
The PCI standard has come under additional scrutiny of late in light of a massive data breach at supermarket chain Hannaford Brothers, the first publicly reported incident of its kind at a business that claims to have been certified as PCI compliant.
However, the questions that the event has spurred -- about everything from the regulation's efficacy at preventing breaches to the issue of whether or not PCI compliance assessors will be held liable for incidents at certified companies -- will ultimately aid in the continued adoption and evolution of the measure, Russo said.
Russo said it's still unclear to what extent Hannaford was actually certified, or attentive in maintaining its compliance with the mandate. It also illustrates to other businesses that they will need to remain focused on related data security issues at all times, not merely when they know that they are being audited.
"The truth is that achieving compliance is a moment in time, it's a snapshot, and you need to be vigilant and live with these issues on a daily basis; you can't get your compliance certificate and put it in a drawer and feel satisfied," Russo said. "It's still pretty unclear exactly what happened [at Hannaford], but the upside is that they've said they'd like to share information about their incident, and feedback from everyone involved in this process has been crucial in making our efforts successful."
The biggest challenge in pushing PCI DSS further forward relates to issues of education, including the Council's effort to aggressively expand adoption of the standard outside of U.S. borders.
One of Russo's most recent personal victories to that end was when a representative for a French banking association, who had repeatedly challenged the executive in public forums over the need for DSS, shook his hand at an industry event and told him the organization was moving to adopt the mandate.
However, one of the biggest problems related to payment card industry security remains consumers' lack of understanding in differentiating between credit account fraud and identity theft.
The mainstream media has fueled the problem, with Russo expressing frustration that his interview was cut from a recent episode of the CBS news program "60 Minutes" in favor of what he labeled "sensationalistic fear-mongering" about consumers suffering long-term affects of identity theft, rather than focusing on real fraud -- the price of which is being almost entirely shouldered by the credit card industry that forms the Council.
Looking forward, the PCI Council will focus on further refining individual elements of the standard -- with an updated version of the rules due out in September 2008 -- and by vetting the processes used by companies seeking certification.
"It often takes years for these types of efforts to gain adoption, but we can't ask companies to break their business to do so. In some cases there is a need to move slowly, and we need to tailor the standard to better meet up with different business models," sad Russo. "But the merchants are truly getting onboard. They hear all the horror stories and they're working to protect themselves from becoming the next headline. Feedback from everyone involved will continue to be crucial to our future progress, and we're trying to listen to as many people's ideas as possible."