Divide and ???

If you’re a PCI maven, you probably already know that today the PCI Security Standards Council (SSC) issued their summary changes to the current PCI-DSS and PA-DSS which will become v2.0 of both documents.

Rob Westervelt interviewed me on the changes and pulled this quote for his article:

My biggest fear is that we’re beginning to see a splintering of PCI with other documents being issued outside of the standard.

And if you’re reading this, you’ve probably already read what Ed and I had to say on the topic in our recent post here.

So why post again?

First, to bring attention to a note worthy post from Gary Palgon (who heads up Product Management for tokenization/truncation vendor nuBridges and is also lead Chair for the PCI SSC Scoping SIG) on the updates and his take on Card brands holding back standards adoption.

Second, because we’d like to make it clear that, in this case we think “divide and conquer” is only going to help attackers. And hurt merchants. Break the standard up into multiple documents from the Council (SSC) and let in other “standards” or best practices from the brands (like the VISA tokenization and truncation BPs) and we’re going to go back to where we started. With a series of possibly contentious documents that merchants, retailers, and acquiring banks, need to read through, parse, normalize and implement.

The purported purpose of the PCI-DSS (and PA-DSS) was to give those that need to protect CHD (card holder data) a single source for guidance on how to accomplish that goal. Splintering gets us nowhere. And the kind of splintering that’s going on right now will most likely lead to: divide and conquer. FTW=Fraudsters. Let’s get it together and make sure that doesn’t happen.