The PCI data security rules require that a retailer comply with every requirement, instead of letting the merchant focus on areas of greatest risk. Merchants are getting tired of that all-or-nothing approach, and are letting the PCI Security Standards Council know it.
The National Retail Federation and six other national associations of merchants, gas stations, hotels and restaurants sent an open letter to the council last week asking for changes in PCI rules. The letter notes that merchants have spent more than $1 billion complying with PCI rules since the major card brands--Visa, MasterCard, American Express and Discover--joined forces in 2005 to create the Payment Card Industry standard, now widely known as PCI.
Among the five requests in the merchant letter is the restructuring of the more than 200 PCI requirements to "reduce the reporting and maintenance burden on companies by ensuring they place a focus on the key controls that reduce overall risk for their particular business model."
Merchants have been outspoken in preferring a risk-based approach that lets a company focus on the systems and processes that are most vulnerable to a data breach, says Dave Glaser, vice president of global professional services at online payments and security provider CyberSource Corp. "Instead PCI takes the approach that you have to check off every box to be considered compliant and that's a very expensive and time-consuming process," he says.
Another PCI expert, David Taylor, founder of PCI Knowledge Base, notes he's been working with the Merchant Risk Council, a retailer anti-fraud group, to assess whether there's a connection between the money spent on PCI compliance and reducing fraud. "Proving a connection looks to be very difficult for merchants," Taylor says.
In their letter the merchants also request that there be a comment period before new PCI rules are adopted, that the PCI council allow sufficient time for all merchants--especially larger ones--to comply with new mandates, that PCI consider end-to-end encryption of payment card data as a means to prevent criminal activity, and give merchants the option of keeping only the authorization code obtained at the time of a sale and not more extensive credit and debit card information.
In a response, Bob Russo, general manager of the PCI council noted that the organization is studying end-to-end encryption and will report on its findings in the fall. In addition to welcoming input from interested parties he noted that such merchants as Wal-Mart, Tesco, McDonald's and Exxon Mobil had been elected recently to the council's Board of Participating Organizations that reviews the PCI standards.
Back...
