Acceptance growing for PCI security standard

The leading man for the payment card industry's data security standard claims that most companies affected by the mandate have begun to embrace the regulation, rather than debate or deny its merits.

In the last year, perceptions of the PCI DSS security requirements -- authored by the world's largest credit card issuers and aimed at forcing companies that handle account data to sufficiently protect their sensitive information and IT systems -- have shifted dramatically, with most organizations making a genuine effort to understand and comply with the rules, said Bob Russo, general manager of the PCI Security Standards Council.

Differing factions still voice concerns over specific elements of the PCI regulation, largely around areas of the mandate that they feel are too prescriptive or vague, but the process of moving the standard forward has gained considerable momentum both in the United States, and around the globe, the PCI Council chief maintains.

"You'll always have people who resist when they are told that they have to do something, but most seem to agree that there is nothing alien in the three standards that we've issued thus far," Russo said. "I think that's because we've been able to establish that PCI is a strong security standard and this is work that people need to do anyways. Most of the remaining discord is related to the fact that people don't want to rip out and replace legacy systems."

In fact, close to 100 percent of all the merchants, card processors, and related businesses that qualify as "tier 1" PCI DSS targets have already become compliant with the standard, and many smaller organizations are well on their way, he said.

The PCI standard has come under additional scrutiny of late in light of a massive data breach at supermarket chain Hannaford Brothers, the first publicly reported incident of its kind at a business that claims to have been certified as PCI compliant.

However, the questions that the event has spurred -- about everything from the regulation's efficacy at preventing breaches to the issue of whether or not PCI compliance assessors will be held liable for incidents at certified companies -- will ultimately aid in the continued adoption and evolution of the measure, Russo said.

Russo said it's still unclear to what extent Hannaford was actually certified, or attentive in maintaining its compliance with the mandate. It also illustrates to other businesses that they will need to remain focused on related data security issues at all times, not merely when they know that they are being audited.

"The truth is that achieving compliance is a moment in time, it's a snapshot, and you need to be vigilant and live with these issues on a daily basis; you can't get your compliance certificate and put it in a drawer and feel satisfied," Russo said. "It's still pretty unclear exactly what happened [at Hannaford], but the upside is that they've said they'd like to share information about their incident, and feedback from everyone involved in this process has been crucial in making our efforts successful."