Impressions from the PCI Community Meeting
Around one networking table, a consultant from the United Kingdom explained how she is building PCI compliance requirements for a major retailer into its existing ISO 27001 program. This is a trend companies for which companies increasingly are opting - to build PCI's 12 requirements into their existing security compliance programs. "Companies are beginning to look at PCI more strategically, applying the same protection measures that they use on card data on the rest of the sensitive personal data they hold," says Gary Palgon, a PCI security pro who attended the session.
One first-time attendee offered his impressions from the meeting: "From talking to others, I think most felt that this was a very different meeting when compared to past meetings, in that there was less chaos," says Matt Davis, Audit and Compliance principal practice lead at SecureState, a Cleveland, OH-based risk management assessment firm.
Companies are beginning to look at PCI more strategically, applying the same protection measures that they use on card data on the rest of the sensitive personal data they hold.
To some extent Davis says he sees this more orderly meeting as a "side effect" of 2009 being a feedback year - 2010 is the year for the next expected update. "But I think this is primarily a testament to the amount of information and clarification over the past year, including revisions of forms and the standard, information supplements, and the increase of online FAQs," he says. "But if there was a common theme this year, it's that there needs to be even more of this."
The community meeting offered ample opportunity for discussion of PCI guidance, consensus, clarity, best practices and examples. But Davis says he continues to hear cries about the need for better definition of terms. "It is somewhat amazing that there can still be debate even over core concepts such as what card holder data is and what authorization is," he notes. It's this situation that continues to drive confusion and debate about PCI from the top level with the card brands all the way down to the service providers and merchants.
One thing is for sure: There needs to be more discussion, more information sharing. I think the PCI-SSC gets this, based on the amount of information they've shared even before the meeting.
Let's see what comes next out of the European PCI-SSC community meeting in October, and then how quickly the raw data from the PriceWaterhouseCoopers emerging technologies survey is synthesized and actions taken.
2010 can be a huge evolutionary year for the PCI standard. And it all starts here.