Skip navigation

PCI Seeks Retailer Feedback

Trade groups, retail companies and others that have criticized the Payment Card Industry Data Security Standard will have an opportunity to influence its development over the next four months. The PCI Security Standards Council here, formed in 2006 by the major credit card associations to manage the PCI standard, launched an open feedback process on July 1. Companies that are council

WAKEFIELD, Mass. — Trade groups, retail companies and others that have criticized the Payment Card Industry Data Security Standard will have an opportunity to influence its development over the next four months.

The PCI Security Standards Council here, formed in 2006 by the major credit card associations to manage the PCI standard, launched an open feedback process on July 1. Companies that are council members, as well as those that are not, can express their views on the current standard, version 1.2, and provide suggestions for changes and improvements. The feedback period ends Oct. 31.

The PCI standard encompasses a series of rules detailing how merchants are expected to securely store, process and transmit cardholder data; merchants that fail to comply with the standard may be subject to fines and other penalties. But trade groups such as the National Retail Federation, Washington, have repeatedly found fault with the standard.

Last month, NRF and several other trade associations sent a joint public letter to the PCI Council and its affiliated credit card companies recommending several ways to make the standard “more effective and cost efficient.” These included adopting “a similar process for writing standards in an open environment as is used by Accredited Standards Committee X9 (ASC X9)”; extending the sunset date for version 1.1 of the standards to Dec. 31, 2009; leveraging “end-to-end encryption” of credit card transactions; and restructuring the more than 200 detailed requirements of the standard by focusing on key controls.

The letter also recommended requiring credit card companies and their banks “to provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to store credit card information for dispute resolution, putting customers at unnecessary risk.”

Besides NRF, the associations authoring the letter included the National Restaurant Association, American Hotel and Lodging Association, National Council of Chain Restaurants, Association for Convenience & Petroleum Retailing, Merchant Advisory Group and the International Franchise Association.

In response to the letter, the PCI Council invited the trade groups to participate in the feedback process that began July 1. “We appreciate input from these industry associations and we do encourage those that are not formal council stakeholders to join up and become active participants, lending practical security expertise — along with their ideas — to evolve payment data security standards,” said Bob Russo, general manager, PCI Security Standards Council.

Among the associations that authored the letter, NRF and the Merchant Advisory Group have become “participating organizations” in the PCI Council, which allows them to submit formal comments during the feedback period, as well as attend community meetings hosted by the council and vote for council board members. Participating organizations pay an annual membership fee of $2,500.

The Food Marketing Institute, Arlington, Va., is also a participating organization in the PCI Council. “We are considering the opportunity to submit feedback” during the open period, said FMI spokesman Bill Greer.

Food retailers and wholesalers that are on the PCI Council's list of 515 participating organizations posted on its website (www.pcisecuritystandards.org) include Kroger, Safeway, Wal-Mart Stores, Publix Super Markets, Hannaford Bros., Wakefern, Nash Finch, Loblaw Cos., Tesco and Sainsbury's. Other retailing companies on the list are Wawa, Quik Trip, McDonald's, Amazon.com, Rite Aid, Big Lot Stores and PetSmart, among others.

Hannaford Bros., hit by a major data breach last year, did not respond to a query on its interest in the PCI feedback process.

Other categories of participating organizations include financial institutions, POS suppliers and payment processors, among other companies. The participating organizations, along with about 400 PCI standard assessment companies, submit feedback on desired changes to the standard via an online form, citing their “top five priorities,” said Russo.

Companies that are not participating organizations in the PCI Council also have an opportunity to provide input on changes to the standard by contacting the council via its website or by sending Russo an email at [email protected].

All suggestions sent to the PCI Council by companies that are not participating organizations “get read by our technical working group, and, if valid, will get added to the feedback [submitted by participating organizations],” said Russo. Most of the comments submitted by outside companies have “already been addressed,” he added, but if a comment represents “an aha moment,” it will be included in the formal feedback.

Version 1.2 of the standard was released on Oct. 1, 2008, starting a five-part “lifecycle process” by which the next version is developed. The first part, “market implementation,” ended July 1, when the feedback process started. The feedback period also includes two community meetings where the input will be debated; the first, in Las Vegas, is set for Sept. 22-24, while the second is scheduled for late October in Prague. Meeting attendees will also hear the results of a study commissioned by the PCI Council on new technology that could affect the standard, including end-to-end encryption, tokenization and “chip and PIN,” used by credit cards in the U.K.

Part three of the cycle, involving feedback review, runs from Nov. 1 through April 30, 2010. It is followed by a four-month review of a proposed version, including another feedback period, and the release of the next version on Sept. 30, 2010.