Raising the Bet: A National Payment Security Standard

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

In the high stakes poker tournament that is the payment processing industry these days, a group of merchants and payment application vendors has raised the bet. Not content to just advise the players (by joining the PCI SSC), a group of merchants and payment system vendors have decided to take a seat at the table by launching their own payment security standard — an American National Standard, under the auspices of the ASC X9 standards committee.

So, does one national standard beat two pairs of industry standards? Let's examine the players and some relevant history:

  • From PCI DSS to a Full House of Industry Standards
    From its humble beginnings as an effort to rationalize and harmonize the Visa, MasterCard and AMEX security guidelines and turn them into a single standard, the PCI SSC continues to raise the bet by launching more and more standards to address different aspects of the payment security business: Payment application security (PA-DSS), PIN entry device security (PCI-PED), Hardware security modules (PCI HSM), Kiosk and ATM security (PCI UPT), etc.

    Even though these standards are emerging through a participatory process, some merchants and vendors clearly see this game as "rigged" — run by the card networks, enforced by the card networks, with fines imposed by the card networks. The merchants and vendors may be allowed to offer advice; they are not "players" in the game. But now this could be changing.

  • We Raise You a National Standard
    The Merchant Advisory Group (a grass-roots payment-focused consortium of merchants from across the airline, retail, hospitality, communications and other industries), working in conjunction with several major players from the POS application business, have decided they want their own seat in this poker game, and have decided to raise the industry-specific standards of the card brands by proposing a national standard, through ANSI's ASC X9 committee.

    The focus of this standard is "end-to-end encryption" from the POS all the way to the processor and through to the acquirer, which the proposed standard identifies as the "most vulnerable" part of processing payments. Adopting this standard would, one assumes, mean changes for the acquiring banks, something the PCI DSS requirements have not included, as they have been focused on protecting card data on the merchant premise (which, merchants argue, they never wanted in the first place).

    By pushing the security mandate "upstream" to the banks, the proposed encryption standard is a clear "in your face" response to the card networks and the PCI SSC. At the same time, such an initiative will ultimately need the cooperation of the card networks and the banks, since they're members of the ASC X9 committees, so I expect this will actually be a relatively civil game of poker. But, for now, it's important that merchants, service providers, technology providers (especially encryption vendors) be aware of this effort, even though this is going to be one long poker tournament.

  • How Long Will This Last? — A History Lesson
    The short answer is "years." The proposed ASC X9 standard optimistically suggests they will get a standard published 30 months after they get approval to actually launch the effort. But I suspect that estimate does not include an allowance for the politics of trying to launch a standard that is both competitive with and cooperative with the PCI SSC's efforts.

    Historically, the national and international standards process takes much longer than industry standards, simply because of the scope and bureaucracy of standards-making. It's also important to remember that not all standards succeed.

    For example, some may remember the SET (secure electronic transaction) protocol, which was a precursor to PCI DSS back in 1997. Even older fogies may also remember that there were dozens of industry-specific EDI (Electronic Data Interchange) standards that gave way to the ANSI ASC X12 standards. I'm not suggesting the PCI DSS will eventually be replaced by ANSI X9 standards, but I am pointing out that this is going to be a very long poker tournament, since we haven't yet heard from the international standards making bodies, which are likely, at some point, to pull up a chair and enter the payment standards making game, just as they did with EDI (UN-EDIFACT), a United Nations standard.

  • The Bottom Line
    So, what the lesson here? Do not assume that you are even close to "done" just because you filled out a form and are, today, PCI compliant. There's a lot of new PCI standards coming from the SSC, there will likely be new ANSI standards from ASC X9, and perhaps more. The poker game continues. Get set for an all-nighter. Of course, I'd love to have you visit and join the PCI Knowledge Base so you can search our research database. In addition, if you want to discuss this topic, send an E-Mail to [email protected].