The PCI Security Standards Council, which oversees the payment card industry’s security regulations, is concerned that merchants will be confused over the emergence of the unaffiliated PCI Security Vendor Alliance.
Their entry into the marketplace will distract and potentially add confusion, said Seana Pitt, chair of the PCI SSC. Their messaging is so tightly linked to our messaging, there’s a concern there’ll be a lack of clarity on who manages the standard going forward.
The PCI SSC was founded by the big five credit card operators – Mastercard, Visa, American Express, JCB, and Discover – last September in order to provide a go-to for merchants who are obliged by their contracts with these vendors to meet certain data security guidelines. It’s can be found at pcisecuritystandards.org.
The guidelines are meant to mitigate the problem of credit card data theft, such as the massive heist at TJX recently. The twelve-point document mandates, for example, firewalls, data obfuscation and strong access control policies.
The PCI SVA is made up of a number of smaller security vendors. Its goal is to sell security products to merchants that need to meet these standards, filling a perceived gap left by the PCI SSC – it doesn’t tell you what products and services can help you meet the requirements. It can be found at pcialliance.org.
Alan Bird, senior vice president of PCI SVA founder-member Cyber-Ark, does not think there are any conflicts or confusions here. We’ve never tried to position ourselves as being the standards body, we’ve tried to be very clear in our messaging that we aren’t that, he said.
He noted that the organization has made some changes to its web site recently that make it explicit that the two groups are not formally affiliated.
While PCI SSC’s Pitt said that the concern is for Joe merchant, who may not know where to go for advice on PCI compliance, Bird said that the PCI SVA has not had any formal contact with such merchants to date.
We haven’t had communications with any merchants that thought we owned the standard or with any vendors who thought they could join us and directly influence that standard, Bird said. We’re in the formative stages of the alliance.
The PCI SVA was formed with eight founding members shortly before the RSA Conference in February, after which it attracted a few dozen new vendor members. One founding member, VeriSign, has since withdrawn from the alliance, for its own reasons.