A Guide to Practical PCI Compliance

What do you say to those who have said the PCI rules-making process is not as inclusive as it needs to be? The way it works is after we release a new standard, it stays out there for a approximately eight months and then a new comment period begins. All of our participating organizations, as well as all of the assessment community and approved software vendors and such will have the opportunity to give us formal feedback. We will ask them to tell us what their top five priorities are regarding the standard--what they would like to see addressed, what they'd like to see changed, what they'd like to see added or deleted. We take all of this information and we will digest that and put that in some form that can be distributed once again to the participating communities, saying: 'This is the result of everything we have gotten. And this is what we are proposing, based on what we heard should be in the newest version of the standard,' and then we will have another comment period. That information will be the basis for the new or evolved standard that will be released.

Representatives from seven trade groups sent you a letter earlier this month asking why the PCI standards development process can't be like the one used by the American National Standards Institute. What's your response? We are a global standard, so there are some issues...with just dealing with a standard that comes from one country or the other. As a matter of fact, when they published that letter, there was an article over in the U.K. saying, 'Hey this is a global standard. Why are you telling these guys to do something that is just U.S. centric?' We need to worry about stuff all over the world. That is specifically what we are doing at this point. Certainly, we look at all standards to see how we might be able to align our standards with those things. If there is a better way of doing it than the existing standards, we have no qualms about adopting it.