NACS, Merchant Groups Ask PCI Council to Lead Collaborative Effort
ALEXANDRIA, Va. -- The Payment Card Industry (PCI) Security Standards Council must take the lead in developing a collaborative approach with merchants in defining more open standards for future PCI Data Security Standard (DSS) requirements, according to NACS and several other trade associations in a June 8, letter to the council, NACS reported in a press release.
"Today, most of the risk and financial burden for operating in compliance with PCI DSS is borne by the merchants, our members. Yet, the credit card companies and banks realize significant revenue from the credit card transactions from our members’ businesses ... We propose the PCI Security Standards Council take the lead in implementing a process whereby all constituents can actively participate in the process of defining more open standards for future PCI DSS requirements," the groups wrote.
To date, merchants have spent more than $1 billion on PCI DSS compliance as part of their security programs. However, NACS and the other trade groups said that it has become increasingly difficult to comply with the program’s requirements in a cost-effective and timely manner, and outlined five requests to mitigate the challenges they face:
1. Incorporate a formal review and comment phase on revisions to the PCI DSS by participating membership before they are issued. "This will result in more informed revisions and will increase merchants’ understanding of and ability to effectively implement the revised standards. We suggest that the PCI SSC adopt a similar process for writing standards in an open environment as is used by Accredited Standards Committee X9," the letter noted.
2. Ensure the amount of time from issuance of a revision to the PCI DSS and the effective date is appropriate for all merchants. This would include Level-1 merchants making enterprise-wide changes, based on the revisions that are being implemented, as well as small operators without the resources to readily comply. "This will allow merchants to most effectively assess and implement the necessary actions needed to meet the requirements of the revision. Along with this, we request that the sunset date of version 1.1 of the PCI DSS be extended to Dec. 31, 2009."
3. Follow and adopt the ASC X9 announcement of its plan to develop a new standard to protect cardholder data that may include end-to-end data encryption. "By leveraging end-to-end encryption of credit card transactions, the industry could implement broad and consistent protections for consumers, businesses and the global electronic payment system by rendering card information useless to thieves."
4. Use the concepts of key controls and controls rationalization to restructure the more than 200 detailed requirements of the PCI DSS. "This would reduce the reporting and maintenance burden on companies by ensuring they place a focus on the key controls that reduce overall risk for their particular business model."
5. Require credit card companies and their banks give merchants the option of saving only authorization codes and a truncated receipt, rather than requiring them to store all credit card information for dispute resolution, which the groups said is "putting customers at unnecessary risk."
"Our members take data security seriously," NACS President and CEO Hank Armour said in a released statement. "We need to have the PCI Security Standards Council play a much more active role in involving merchants in the process."
In addition to NACS, other groups signing the letter were the National Retail Federation, National Restaurant Association, American Hotel and Lodging Association, National Council of Chain Restaurants, Merchant Advisory Group and the International Franchise Association.
"Today, most of the risk and financial burden for operating in compliance with PCI DSS is borne by the merchants, our members. Yet, the credit card companies and banks realize significant revenue from the credit card transactions from our members’ businesses ... We propose the PCI Security Standards Council take the lead in implementing a process whereby all constituents can actively participate in the process of defining more open standards for future PCI DSS requirements," the groups wrote.
To date, merchants have spent more than $1 billion on PCI DSS compliance as part of their security programs. However, NACS and the other trade groups said that it has become increasingly difficult to comply with the program’s requirements in a cost-effective and timely manner, and outlined five requests to mitigate the challenges they face:
1. Incorporate a formal review and comment phase on revisions to the PCI DSS by participating membership before they are issued. "This will result in more informed revisions and will increase merchants’ understanding of and ability to effectively implement the revised standards. We suggest that the PCI SSC adopt a similar process for writing standards in an open environment as is used by Accredited Standards Committee X9," the letter noted.
2. Ensure the amount of time from issuance of a revision to the PCI DSS and the effective date is appropriate for all merchants. This would include Level-1 merchants making enterprise-wide changes, based on the revisions that are being implemented, as well as small operators without the resources to readily comply. "This will allow merchants to most effectively assess and implement the necessary actions needed to meet the requirements of the revision. Along with this, we request that the sunset date of version 1.1 of the PCI DSS be extended to Dec. 31, 2009."
3. Follow and adopt the ASC X9 announcement of its plan to develop a new standard to protect cardholder data that may include end-to-end data encryption. "By leveraging end-to-end encryption of credit card transactions, the industry could implement broad and consistent protections for consumers, businesses and the global electronic payment system by rendering card information useless to thieves."
4. Use the concepts of key controls and controls rationalization to restructure the more than 200 detailed requirements of the PCI DSS. "This would reduce the reporting and maintenance burden on companies by ensuring they place a focus on the key controls that reduce overall risk for their particular business model."
5. Require credit card companies and their banks give merchants the option of saving only authorization codes and a truncated receipt, rather than requiring them to store all credit card information for dispute resolution, which the groups said is "putting customers at unnecessary risk."
"Our members take data security seriously," NACS President and CEO Hank Armour said in a released statement. "We need to have the PCI Security Standards Council play a much more active role in involving merchants in the process."
In addition to NACS, other groups signing the letter were the National Retail Federation, National Restaurant Association, American Hotel and Lodging Association, National Council of Chain Restaurants, Merchant Advisory Group and the International Franchise Association.