EXCLUSIVE INTERVIEW
PCI Security Standards Council Chair Seana Pitt: Awareness Is Essential

The Payment Card Industry Security Standards Council (PCI) launched in September as a joint venture between Visa International, MasterCard Worldwide, Discover Financial Services, JCB and American Express (NYSE: AXP) to continuously improve the data security standard.

The group couldn't have appeared at a better time. Media reports of credit card data storage breaches -- most notably the recent news and ongoing recovery of the TJX Cos. breach -- demand industry attention and an effort to ensure that merchants and transaction processors securely store only appropriate consumer card information.

Seana Pitt, chairperson of the PCI Security Standards Council and vice president of merchant policy and data quality at American Express, spoke with the E-Commerce Times about PCI's primary objectives.

E-Commerce Times: How did the Payment Card Industry group come together? What is the charge of the PCI Security Standards Council?

Seana Pitt: In response to emerging security threats, the PCI Security Standards Council was formed as an attestation to how important it is to secure customer and transaction data. It was formed to help industry vendors and merchants do the right thing and validate that they do it well. That is the concept behind the council's Quality Assessor program. The second charge of the council is that its members make sure the standard is applied across the industry -- to gain the awareness of and adoption by every business that may touch a payment transaction.

There was industry interest in a data security standard (DSS) before September 2006. As we had all seen payment data go missing, we started to informally work together. We started to bounce around standards ideas two to three years ago in a loose alignment.

From the time we all decided the way the industry was working, it took eight months to get the council together. The standard started as an agreement that we all just need to take care of customers and ensure customer satisfaction. The PCI Data Security Standard will be managed by the council.

ECT: How does the council guarantee that the DSS incorporates appropriate and comprehensive measures? How did PCI go about developing a model for data security and for certification with the standard?

Pitt: The council is in the process of engaging industry merchants, vendors, EFT (electronic funds transfer) networks, POS (point of sale) application developers, banks and other stakeholders with a regional and global view in this diverse business to make the standard more about the marketplace.

We have had really great turnout in the United States and Europe. We are looking to build relationships in Asia Pacific and Latin America. If we are to have a truly global security standard, we have to get the whole world at the table. A 21-member board will report directly to the executive committee and have direct access to participating members to create and promote the ongoing evolution of the standard.

At launch, each brand's data elements were named, and common terminology was accepted for the new security measure. Following that we addressed cross-scripting at the application level of software products, not just at the network level.

ECT: How much of the effort can practically and effectively be replicated across different industry players, regardless of database technology or point-of-sale systems?

Pitt: When you engage a merchant, you want to make sure the merchant is able to use one assessor program for all brands rather than have to go to American Express, MasterCard and Visa.

In addition to ensuring the standard is clear and that it addresses emerging security threats, we need to develop an understanding of how to implement the standard and how to overcome implementation challenges.

The complexity of standards implementation depends on the complexity of the business model and the infrastructure at the company trying to certify with the PCI DSS. What the standard does is outline 12 steps as a guideline.

In general, though, companies should not be retaining magnetic-stripe data, PIN (personal identification number) data and CVV2 (card verification value) codes. That is the Holy Grail of the standard. We don't want people to have that data in their businesses. We've seen a lot of customers have a lot of "a-ha's." They find inappropriate, highly sensitive data is going to old data or marketing systems somebody forgot were there.

What incentive do they have to comply with PCI's DSS?

Pitt: The biggest incentive to certify through the PCI DSS right now is that everybody's brand is on the block, front and center. TJX did not protect its customers. The biggest incentive is that everybody needs to ensure they have their customers' trust. Insert your name in the TJX articles. Do you really want that damage to your brand and reputation?

PCI wants to educate everybody better on the importance of security and convince them that it is the right thing for them to do.

ECT: What does certification bring a merchant? Is PCI going to do a consumer education campaign and say, "Here are some great merchants. They care about the security of your personal information so much that they've jumped through all of the hoops we've set for them. They comply with our standard, and that makes them exemplary businesses."?

Pitt: The best security is often the security you don't see. As we think about the council going forward, we have talked about compliance marks. The consumer may like that, but does it raise the attention of the hacker? The "you think you're so secure" sort of challenge?

We have decided that the best thing to do is to focus on security and then let each business decide how it's going to brand compliance with the standard with its own customers.