Revised Card Data Standards Aim for Improved Clarity

As of Jan. 1, merchants and payments companies must ensure that their systems comply with versions 2.0 of the Payment Card Industry and Payment Application data security standards the PCI Security Standards Council released Oct. 28.

Neither of the updated standards designed to protect sensitive cardholder data brings dramatic change, said Bob Russo, the PCI council general manager.

The changes include improved definitions of the secure boundaries between a merchant's Internet connection and the cardholder data, as well as recognition that issuers have a legitimate need to store sensitive authentication data.

The changes also let merchants prioritize security vulnerabilities. This gives merchants better control over how they secure their payment environments, Russo said.

"The standards are maturing," Russo said, noting that merchants increasingly have accepted their compliance roles in the payment system. "People realize what needs to be done and how to comply with it."

But one group of merchants - the smallest - continues to struggle with PCI-compliance issues, he said.

Many small merchants are unsure which self-assessment questionnaire to use, Russo said. The questionnaires are designed to ferret out weak spots in a merchant's payment scheme.

"Very often we found that smaller merchants went with a bigger" self-assessment questionnaire, he said, "and half of their responses had 'not applicable' written in."

The council intends to put more emphasis on educating small merchants to avoid such confusion, he said.

"We have to help them understand what it means to be compliant, how to become compliant and what could possibly happen" if they do not, Russo said.

As part of that effort, the council redesigned its website. As of Oct. 28, all of the council's materials for small businesses were gathered in one section on the site, Russo said. The information previously was scattered in various places and often was difficult to locate, he said.

"We continue to understand the biggest impediment to [merchants'] complying is an education issue," he said.

The PCI council was formed in 2006 to manage the various PCI security standards, including the PCI data security standard, which was written in 2004 based on existing security programs at Visa Inc. and MasterCard Inc. It was designed to guide merchants on how to protect or dispose of any sensitive card data they handle.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER