Increasing standards alignment and consistency is a core pillar in the PCI Security Standards Council’s strategic framework, which guides how the Council achieves its mission and supports the needs of the global payments industry. In this interview with PCI SSC Operations Officer Mauro Lance, we discuss this strategic pillar and how it’s shaping Council priorities.
What does the Council’s focus on increasing standards alignment and consistency mean?
Mauro Lance: The Council was established to bring multiple sets of data security requirements that existed at the time into one aligned data security standard for the payment card industry, the PCI Data Security Standard (PCI DSS). Years later, alignment and consistency for the industry continue to be core aspects of PCI Standards and Programs development, with the goal of driving effective implementation by stakeholders.
How does the Council achieve this?
Mauro Lance: The Council provides the industry with standards and supporting validation programs that unify payment brand security requirements into a common set of criteria and works to align these efforts with other standards organizations to reduce redundancy of standards and assessments.
How does the Council’s focus on standards and programs alignment and consistency ultimately benefit the industry?
Mauro Lance: When standards are aligned and consistent, it makes it easier for stakeholders to implement them effectively, thus improving their security posture. The Council provides the industry with a common, global set of security best practices and requirements so that entities that store, process, or transmit cardholder data do not have to implement different and sometimes non-aligned sets of security requirements, which increases implementation overhead and complexity. Our validation programs are created to support this effective implementation, which is key to the Council’s mission and our value proposition to the industry.
What are some examples of how the Council’s focus on standards and programs alignment and consistency is shaping PCI SSC initiatives?
Mauro Lance: The PIN Security Standard and the Card Production Security Standards, and their respective Assessor Programs, are great examples of this strategic pillar in action.
In collaboration with the Accredited Standards Committee (ASC X9), the Council published Version 3.0 of the PCI PIN Security Standard in August 2018 to create one unified PIN Security Standard that would simplify the security assessment process for stakeholders. Our recently launched Qualified PIN Assessor (QPA) Program will provide additional benefits to the payments industry by providing a certification and centralized list of approved PIN Assessor Companies that will ensure high quality QPA services for merchants and service providers into the future.
In May 2013, the Council also published Version 1.0 of the Card Production Security Standards (Physical and Logical Security Requirements), which aligned industry security requirements for card production. After a few minor updates, Version 2.0 of the standards were released in January 2017 to include mobile provisioning, and finally earlier this year we launched the new Card Production Security Assessor (CPSA) Program. By converging existing card production assessor programs into a single and aligned industry card production assessor program, the PCI CSPA program will create consistency across assessments and ensure guidance and training keeps pace with the current threat landscape.