A lack of global Data Security
Standards by the Payment Cards Industry Security Standards Council
has caused much confusion, particularly among European merchants.
This has led to the council appointing European director Jeremy
King, who promises to support European merchants on the road to
compliance. Louise Naughton reports.

Six years ago, the five major
credit card organisations, American Express, Discover, JCB,
MasterCard and Visa, formed the Payment Cards Industry Security
Standards Council (PCI SSC) in a bid to create a common set of Data
Security Standards (DSS) for merchants across the world.

By creating one set of
requirements, it was believed confusion and uncertainty would be
eliminated. Not so, as the Friday 1 October deadline, billed as
D-Day for UK merchants, came and went without so much as a
whimper.

Important and influential
information, such as which merchants the deadline impacted, was
misreported by various media outlets and consultancies, bizarrely
without the council or credit card organisations’ knowledge.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Lack of
clarity

The lack of clarity seems to be
more prevalent in the European region, and this may be directly
related to the painfully slow-paced realisation of the council’s
need to make more of an effort to engage, educate, encourage and
most importantly support European merchants on the road to PCI DSS
compliance.

The appointment of Jeremy King as
the European director of the council in July this year has
indicated a shift towards the notion of the ‘global standards’, and
a break from the arguable Americanised tunnel-vision view. It has
also highlighted the need for a stronger European voice and
presence within the council and its security standards.

King has a major task on his hands
to get European merchants onside with a set of requirements that
have arguably seemed alien to them for so long. How does he aim to
readdress the balance of the council to increase European support?
Furthermore in doing so, will he take on board the compliance
issues seemingly fraught with confusion the council has
traditionally shied away from?

King told CI he approached
Bob Russo, the council’s general manager, after noticing Russo was
juggling both the American and European markets.

King felt as a result, the council
was unable to cater to the demands of European merchants and
provide more visible day-to-day support – something he wished to
overturn.

King has three main focuses in his
new role to help drive the adoption of the PCI DSS in Europe to the
same levels among American merchants.

The first is to educate European
merchants as to why the standards are applicable to the European
payment market. He said he has been working with a number of
special interest groups around the region to provide a document on
the standards in an EMV environment which has already proved to be
beneficial.

“We have had fantastic support from
Barclaycard and Tesco in the UK, and card brands such as Visa
Europe,” said King.

“The document helps show how PCI
DSS and EMV can work together and are not competing security
specifications. EMV has helped to drive down face to face fraud but
even in that environment there is still space for criminals to
obtain security data.”

European
support

The second area
King has been working towards is to garner support among European
retailers and show them that they do have the leverage to influence
the PCI Council as they move towards adopting the standards.

He said he is constantly seeking
feedback from everyone involved in the transaction process – be
that merchants, banks, brands or third party processors, in a bid
to ensure the standards are relevant and applicable to the European
market.

“We are currently going through an
update of the PCI DSS and PA DSS and most of the changes have come
as a direct result of the comments received from the participating
organisations,” said King.

“It is all about trying to get the
message across to organisations that this is something they should
all be involved in. European merchants can help us achieve more
tailored standards by feeding their European flavour right into its
heart.”

The third area of focus for King is
to understand the different needs for each European country which
he says is challenging and a process which is currently under
development.

King claims that European merchants
have responded positively to him and very much appreciate the level
of support and understanding that is now being offered. He claims
there is now a lot more involvement in special interest groups and
the numbers for attendees at the Council’s European Committee
meetings have increased significantly.

King cites timing, where the card
brands are based, and where the process originated, as reasons why
there has been a marked difference between adoption of PCI DSS in
America and Europe, but argues adoption is now coming as a wave
across Europe.

Stanley Skoglund, senior
vice-president of payment system risk at Visa Europe, told
CI he agrees wholeheartedly with King’s view that the
European voice needs to be louder within the Council.

“It is true that the balance of
representation is skewed towards North America,” said Skoglund.

“It is likely there is a difference
of perception as to how relevant PCI DSS compliance is in different
markets. Looking forward, we would like to see a far greater
stakeholder involvement from the European community and stronger
representation in the council. Although it is not non-existent, it
could certainly be better.”

However, retailers seem to value
clarity and education above an increase in European presence on the
council.

“[The lack of European
representation in the council] is an issue and it is something for
us to look at,” said Richard Braham, policy advisor for the British
Retail Consortium (BRC).

“I’m sure the composition of the
council would make a difference, but we are more concerned with
getting on with the job. In doing so, we are really looking for
clarity from the banks and card schemes.”

‘All stick and no
carrot’

In addition to
discussions about Europe’s representation on the council, conflict
between retailers and credit card organisations has arisen
regarding PCI DSS compliance investment.

Paul Atmore, a programme manager
for an unnamed tier-one UK retailer, claims the general mood
surrounding compliance is that the standards are dictated and too
one-sided.

“We bear all the costs and
responsibility – it is all stick and no carrot,” said Atmore.

Atmore believes there needs to be a
sharing of costs between retailers and credit card organisations,
or an incentive that leads to retailers saving money in the long
term.

Both Atmore and Braham quote the
migration to EMV as a process by which they feel credit card
organisations should apply to PCI DSS compliance in terms of
investment and support. However, while Skoglund acknowledges that
conflict has indeed arisen between retailers and card schemes, he
argues this isn’t possible.

“In the present constitution of
Visa, obviously we can’t really make those investments [into PCI
DSS] as we did with EMV,” he said.

“We feel as though we have done our
bit and put our head above the parapet to provide guidance on
controversial issues such as tokenisation and end-to-end
encryption. I do understand that some retailers don’t particularly
like having to accommodate and invest in PCI DSS, but our approach
is reasonable and not heavy handed.”

Braham said the BRC is looking to
work collaboratively with card schemes to adopt an individual ‘risk
based’ approach to compliance, and do away with the ‘one size fits
all’ model.

In response to this, Skoglund
argues that on the area of compliance and deadlines, Visa Europe
does promote an individual ‘carrot- and-stick’ style approach to
retailers.

He told CI that plans to
introduce a firm deadline for tier-one retailers in Europe were
scrapped as it was viewed that they are too different in their
set-ups and business models. It was then decided that Visa Europe
would work on a one-to-one basis with larger retailers on a ‘risk
prioritisation approach’.

The latest deadline for PCI DSS
compliance, scheduled for 1 October and set by Visa Inc to include
merchants in the Americas, was thrown into confusion when various
media outlets and consultancies incorrectly reported it was to
impact UK merchants.

Industry analysts Redshift
conducted a survey on behalf of IT security and compliance
solutions provider Tripwire, back in March this year, and were
among the many to misinterpret the deadline. Redshift’s managing
director Guy Washer said he received the information surrounding
the deadline from Tripwire but claims that it was the “perceived
wisdom” in the industry at the time.

“We didn’t understand the
distinction between Visa Inc and Visa Europe until several months
ago,” said Rob Warmack, senior director of international marketing
at Tripwire.

“The coming and passing of the
October 1 deadline to the UK actually doesn’t have any impact, as
the deadlines for the UK have already come and gone. All merchants
are expected to be compliant with PCI DSS now.”

Growing need for
guidance

Despite this confusion, King
maintains his stance that the council has no involvement or
influence over merchant’s compliance to the standards, and there
seems to be no plans to change.

It seems there is a growing need
for the guidance and compliance literature to be merged rather than
stay as separate processes run by separate entities.

The PCI SSC claims it is looking to
engage with European merchants but it must sit up and take notice
of compliance issues rather than shy away from the very real
concerns that merchants have.

Something needs to be done to bridge the gap between the council
and card schemes as it currently seems disjointed, which risks
undermining the standards and impeding the collective end goal of
adoption.