Mr. Bob Russo
PCI Security Standards Council, LLC
401 Edgewater Place, Suite 600
Wakefield, MA 01880
Dear Mr. Russo:
Thorough and effective data security standards are a necessary and important facet of a business’ ability to protect customer credit card information, maintain the integrity of the electronic payment system and foster solid trust with their customers. The vast majority of our members accepts credit cards and is subject to the data security requirements mandated by the Payment Card Security Data Security Standard (PCI DSS). They take data security seriously and have spent in excess of one billion dollars on PCI DSS compliance as part of their security programs. However, it is becoming increasingly difficult for our members to comply with the program’s requirements in a cost effective and timely manner; especially
in this difficult economic climate.
Therefore, we ask that you consider the following requests for near-term action:
1. Incorporate a formal review and comment phase on revisions to the PCI DSS by participating membership before they are issued. This will result in more informed revisions and will increase merchants’ understanding of and ability to effectively implement the revised standards. We suggest that the PCI SSC adopt a similar process for writing standards in an open environment as is used by Accredited Standards Committee X9 (ASC X9). As ASC X9 also maintains data security standards, we recommend the PCI SSC partner with them in an effort to create a single standard that could be used by all.
2. Ensure the amount of time from issuance of a revision to the PCI DSS and the effective date is appropriate for all merchants, including Level-1 merchants making enterprise-wide changes, based on the revisions that are being implemented, as well as small operators without the resources to readily comply. This will allow merchants to most effectively assess and implement the necessary actions needed to meet the requirements of the revision. Along with this, we request that the sunset date of version 1.1 of the PCI DSS be extended to December 31, 2009.
3. Follow, and adopt, the ASC X9 announcement of its plan to develop a new standard to protect cardholder data that may include end to end data encryption. By leveraging end to end encryption of credit card transactions, the industry could implement broad and consistent protections for consumers, businesses and the global electronic payment system by rendering card information useless to thieves.
4. Utilize the concepts of key controls and controls rationalization to restructure the more than two hundred detailed requirements of the PCI DSS. (These concepts are similar to what the U.S. Government enacted for publicly traded companies as part of the Sarbanes-Oxley Act). This would reduce the reporting and maintenance burden on companies by ensuring they place a focus on the key controls that reduce overall risk for their particular business model.
5. Require credit card companies and their banks to provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to store credit card information for dispute resolution, putting customers at unnecessary risk.
Today, most of the risk and financial burden for operating in compliance with PCI DSS is borne by the merchants, our members. Yet, the credit card companies and banks realize significant revenue from the credit card transactions from our members’ businesses. In an effort to establish a more collaborative approach to developing PCI DSS requirements, we propose that the PCI Security Standards Council take the lead in implementing a process whereby all constituents can actively participate in the process of defining more open standards for future PCI DSS requirements (again, similar to the processes enacted for Sarbanes-Oxley Act and used by groups such as ASC X9).
On behalf of our members, we thank you for your consideration and look forward to receiving a response to our request.
cc: Kenneth Chenault, American Express Company
David Nelms, Discover Financial Services
Joseph W. Saunders, Visa, Inc.
Robert Selander, MasterCard Worldwide
Tamio Takakura, JCB International Credit Card Company, Ltd.