The biggest challenge in pushing PCI DSS further forward relates to issues of education, including the Council's effort to aggressively expand adoption of the standard outside of U.S. borders.
One of Russo's most recent personal victories to that end was when a representative for a French banking association, who had repeatedly challenged the executive in public forums over the need for DSS, shook his hand at an industry event and told him the organization was moving to adopt the mandate.
However, one of the biggest problems related to payment card industry security remains consumers' lack of understanding in differentiating between credit account fraud and identity theft.
The mainstream media has fueled the problem, with Russo expressing frustration that his interview was cut from a recent episode of the CBS news program "60 Minutes" in favor of what he labeled "sensationalistic fear-mongering" about consumers suffering long-term affects of identity theft, rather than focusing on real fraud -- the price of which is being almost entirely shouldered by the credit card industry that forms the Council.
Looking forward, the PCI Council will focus on further refining individual elements of the standard -- with an updated version of the rules due out in September 2008 -- and by vetting the processes used by companies seeking certification.
"It often takes years for these types of efforts to gain adoption, but we can't ask companies to break their business to do so. In some cases there is a need to move slowly, and we need to tailor the standard to better meet up with different business models," sad Russo. "But the merchants are truly getting onboard. They hear all the horror stories and they're working to protect themselves from becoming the next headline. Feedback from everyone involved will continue to be crucial to our future progress, and we're trying to listen to as many people's ideas as possible."