A lack of global Data Security
Standards by the Payment Cards Industry Security Standards Council
has caused much confusion, particularly among European merchants.
This has led to the council appointing European director Jeremy
King, who promises to support European merchants on the road to
compliance. Louise Naughton reports.

 

Six years ago, the five major
credit card organisations, American Express, Discover, JCB,
MasterCard and Visa, formed the Payment Cards Industry Security
Standards Council (PCI SSC) in a bid to create a common set of Data
Security Standards (DSS) for merchants across the world.

By creating one set of
requirements, it was believed confusion and uncertainty would be
eliminated. Not so, as the Friday 1 October deadline, billed as
D-Day for UK merchants, came and went without so much as a
whimper.

Important and influential
information, such as which merchants the deadline impacted, was
misreported by various media outlets and consultancies, bizarrely
without the council or credit card organisations’ knowledge.

Bar chart showing the state of PCI DSS compliance in the UK, according to merchants

 

 

 

 

 

 

Lack of
clarity

The lack of clarity seems to be
more prevalent in the European region, and this may be directly
related to the painfully slow-paced realisation of the council’s
need to make more of an effort to engage, educate, encourage and
most importantly support European merchants on the road to PCI DSS
compliance.

The appointment of Jeremy King as
the European director of the council in July this year has
indicated a shift towards the notion of the ‘global standards’, and
a break from the arguable Americanised tunnel-vision view. It has
also highlighted the need for a stronger European voice and
presence within the council and its security standards.

King has a major task on his hands
to get European merchants onside with a set of requirements that
have arguably seemed alien to them for so long. How does he aim to
readdress the balance of the council to increase European support?
Furthermore in doing so, will he take on board the compliance
issues seemingly fraught with confusion the council has
traditionally shied away from?

King told CI he approached
Bob Russo, the council’s general manager, after noticing Russo was
juggling both the American and European markets.

King felt as a result, the council
was unable to cater to the demands of European merchants and
provide more visible day-to-day support – something he wished to
overturn.

King has three main focuses in his
new role to help drive the adoption of the PCI DSS in Europe to the
same levels among American merchants.

The first is to educate European
merchants as to why the standards are applicable to the European
payment market. He said he has been working with a number of
special interest groups around the region to provide a document on
the standards in an EMV environment which has already proved to be
beneficial.

“We have had fantastic support from
Barclaycard and Tesco in the UK, and card brands such as Visa
Europe,” said King.

“The document helps show how PCI
DSS and EMV can work together and are not competing security
specifications. EMV has helped to drive down face to face fraud but
even in that environment there is still space for criminals to
obtain security data.”

 

European
support

Photograph of Stanley Skoglund, senior vice-president of payment system risk at Visa EuropeThe second area
King has been working towards is to garner support among European
retailers and show them that they do have the leverage to influence
the PCI Council as they move towards adopting the standards.

He said he is constantly seeking
feedback from everyone involved in the transaction process – be
that merchants, banks, brands or third party processors, in a bid
to ensure the standards are relevant and applicable to the European
market.

“We are currently going through an
update of the PCI DSS and PA DSS and most of the changes have come
as a direct result of the comments received from the participating
organisations,” said King.

“It is all about trying to get the
message across to organisations that this is something they should
all be involved in. European merchants can help us achieve more
tailored standards by feeding their European flavour right into its
heart.”

The third area of focus for King is
to understand the different needs for each European country which
he says is challenging and a process which is currently under
development.

King claims that European merchants
have responded positively to him and very much appreciate the level
of support and understanding that is now being offered. He claims
there is now a lot more involvement in special interest groups and
the numbers for attendees at the Council’s European Committee
meetings have increased significantly.

King cites timing, where the card
brands are based, and where the process originated, as reasons why
there has been a marked difference between adoption of PCI DSS in
America and Europe, but argues adoption is now coming as a wave
across Europe.

Stanley Skoglund, senior
vice-president of payment system risk at Visa Europe, told
CI he agrees wholeheartedly with King’s view that the
European voice needs to be louder within the Council.

“It is true that the balance of
representation is skewed towards North America,” said Skoglund.

“It is likely there is a difference
of perception as to how relevant PCI DSS compliance is in different
markets. Looking forward, we would like to see a far greater
stakeholder involvement from the European community and stronger
representation in the council. Although it is not non-existent, it
could certainly be better.”

However, retailers seem to value
clarity and education above an increase in European presence on the
council.

“[The lack of European
representation in the council] is an issue and it is something for
us to look at,” said Richard Braham, policy advisor for the British
Retail Consortium (BRC).

“I’m sure the composition of the
council would make a difference, but we are more concerned with
getting on with the job. In doing so, we are really looking for
clarity from the banks and card schemes.”

 

‘All stick and no
carrot’

Pull quote by Jeremy King from PCI SSCIn addition to
discussions about Europe’s representation on the council, conflict
between retailers and credit card organisations has arisen
regarding PCI DSS compliance investment.

Paul Atmore, a programme manager
for an unnamed tier-one UK retailer, claims the general mood
surrounding compliance is that the standards are dictated and too
one-sided.

“We bear all the costs and
responsibility – it is all stick and no carrot,” said Atmore.

Atmore believes there needs to be a
sharing of costs between retailers and credit card organisations,
or an incentive that leads to retailers saving money in the long
term.

Both Atmore and Braham quote the
migration to EMV as a process by which they feel credit card
organisations should apply to PCI DSS compliance in terms of
investment and support. However, while Skoglund acknowledges that
conflict has indeed arisen between retailers and card schemes, he
argues this isn’t possible.

“In the present constitution of
Visa, obviously we can’t really make those investments [into PCI
DSS] as we did with EMV,” he said.

“We feel as though we have done our
bit and put our head above the parapet to provide guidance on
controversial issues such as tokenisation and end-to-end
encryption. I do understand that some retailers don’t particularly
like having to accommodate and invest in PCI DSS, but our approach
is reasonable and not heavy handed.”

Braham said the BRC is looking to
work collaboratively with card schemes to adopt an individual ‘risk
based’ approach to compliance, and do away with the ‘one size fits
all’ model.

In response to this, Skoglund
argues that on the area of compliance and deadlines, Visa Europe
does promote an individual ‘carrot- and-stick’ style approach to
retailers.

He told CI that plans to
introduce a firm deadline for tier-one retailers in Europe were
scrapped as it was viewed that they are too different in their
set-ups and business models. It was then decided that Visa Europe
would work on a one-to-one basis with larger retailers on a ‘risk
prioritisation approach’.

The latest deadline for PCI DSS
compliance, scheduled for 1 October and set by Visa Inc to include
merchants in the Americas, was thrown into confusion when various
media outlets and consultancies incorrectly reported it was to
impact UK merchants.

Industry analysts Redshift
conducted a survey on behalf of IT security and compliance
solutions provider Tripwire, back in March this year, and were
among the many to misinterpret the deadline. Redshift’s managing
director Guy Washer said he received the information surrounding
the deadline from Tripwire but claims that it was the “perceived
wisdom” in the industry at the time.

“We didn’t understand the
distinction between Visa Inc and Visa Europe until several months
ago,” said Rob Warmack, senior director of international marketing
at Tripwire.

“The coming and passing of the
October 1 deadline to the UK actually doesn’t have any impact, as
the deadlines for the UK have already come and gone. All merchants
are expected to be compliant with PCI DSS now.”

 

Growing need for
guidance

Despite this confusion, King
maintains his stance that the council has no involvement or
influence over merchant’s compliance to the standards, and there
seems to be no plans to change.

It seems there is a growing need
for the guidance and compliance literature to be merged rather than
stay as separate processes run by separate entities.

The PCI SSC claims it is looking to
engage with European merchants but it must sit up and take notice
of compliance issues rather than shy away from the very real
concerns that merchants have.

Something needs to be done to bridge the gap between the council
and card schemes as it currently seems disjointed, which risks
undermining the standards and impeding the collective end goal of
adoption.