The North American PCI SSC Community Meeting brings together vendors, assessors and other stakeholders from across the payments chain to discuss the implementation of PCI standards. This year’s meeting is in Scottsdale, Arizona and has hosted some lively debates on the future of PCI DSS. Although arguably PCI DSS has been more topical in North America in the past, the international representation of delegates and the issues that are being discussed this year do show that there is an increasing acknowledgement that PCI DSS is indeed a global standard.
So what has been on the agenda?
The conference continues to put focus on the card brands’ clear goal to be ‘champions of security’. Nevertheless there has been acknowledgement from all quarters that security measures must evolve as new technologies emerge. The rise of mobile payments is an example of a new pressure that presents an array of challenges, a topic which has been discussed previously here and here.
A key issue that has been raised at the conference in relation to the North American payments environment is that small merchants often have problems complying with PCI DSS, especially those in the hospitality and restaurant sector. Any activity for small companies that is non-business generating is a challenge. For SMEs with small numbers of employees, complying with PCI DSS can be a major headache in terms of both time and expense. For the hospitality sector in particular, it can be difficult for organisations to prove to assessors that they have not kept a record of cardholder data when a transaction has been made.
The Arizona conference of course comes hot on the heels of PCI SSC’s Point-to-Point Encryption (P2PE) solution requirements document issued last week (see this post). That document significantly focused on hardware-to-hardware P2PE solutions instead of software only or hybrid solutions (using hardware at point of interaction [POI] and software for working keys at the acquirer). The message from the conference is that while hybrid P2PE solutions are under discussion, they are not a priority. PCI SSC wants to avoid having to reissue requirements because of problems that might arise in specifying less well understood technologies. Solutions using hardware cryptography are well understood as they are the basis behind more than 20 years of proven PIN security.
With responsibility for PIN security having moved to PCI, we can expect PIN Security Requirements to be released shortly. The payments industry has a lot on its plate. The PCI Council’s European meeting is scheduled for next month in London. It will be interesting to see how rapidly some of these topics evolve.