By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
It's hard for me to talk about TJX's specific processes because I only know their issues from what's been reported in the media. But one thing we always try to help companies understand is that they need to know where data such as PIN and credit card numbers are, and get rid of it immediately. That's the simple first step: If you're done with the data, get rid of it. There's simply no reason to store it. The journey to PCI DSS compliance is just that, a journey. You should consider dumping that stuff the first step on your journey.
We've done a lot of outreach since September and since the TJX breach, and one thing I'm extremely optimistic about is that people are no longer asking why they need to comply with PCI DSS. Now they ask how to do this. The level of questions on how to implement this has risen sharply. We spoke at the CSO Interchange during RSA [held in San Francisco in February] and what came out of it is that awareness is up by 90%. And this is no longer a credit card thing. It has become about how you protect the lifeblood of your company -- the customers. The PCI Security Standards Council formed last September as part of a wider overhaul of the PCI DSS. Talk about what the council's primary tasks are, whether it involves further updates to the standard or more extensive training and enforcement programs.
When we launched there were several criteria. One was to become a place where companies can go to ask questions and get information on the standards. There was a lot of noise in the system, so the council was set up to deal with that noise.
There is further need for continuing clarification. You get specific questions on how to think about a given requirement. If multiple businesses come in and ask the question, it becomes apparent that something wasn't clear. In September, we added stronger language on application security because we see that as an emerging threat vector and we need to be staying ahead of the bad guys. It was also necessary to add more clarity and consistency to the guidelines. Security is an evolving process. The council wants to get more stakeholders -- merchants, banks -- to the table to help us with feedback on what implementation and security challenges are there. How do we make the PCI standard a living, breathing road map? Compliance is not a one-time experience. Talk about the makeup of the council, in terms of the number of members and the breakdown of representation.
We have each of the five payment brands represented, and we are adding a membership participation organization with 150 members. Globally, 67% of the membership are U.S. businesses -- merchants, processors, banks, point-of-sale vendors and security vendors. You just hired a general manager, correct?
Yes, our new general manager is Bob Russo, who will be the face of the standards council and will help me with outreach. He has more than 25 years of high-tech business management, operations and security experience. Most recently, he served as the vice president of commercial sales for Secure Info, a provider of security, risk and compliance services and software. He was also a founder of a number of software and security companies, including Network-1 Software & Technology and ATC Security. His presence and leadership will further our goal of engaging key stakeholders. His previous experience managing the compliance of payment industry merchants, issuers, acquirers and service providers while maintaining relationships with the credit card payment brands made him a natural choice for this position. What are some of the specific projects now under way?
We are currently laying out a calendar for getting input on the next generation of the standard. Big companies are starting to get it. Now we need to help guide the small-to-medium-sized businesses. They tend to not be as sensitive as the bigger companies to the threats out there and they are not as aware of PCI DSS. The small restaurant owners are not necessarily going to be thinking about this the same way a large financial firm is. If the restaurant, for example, is going to be buying a new point-of-sale system, we want to be there to help them make the right choices and ensure the right level of security. If they are not paying as much attention as the bigger guys, how do you help them with that?
We are working on a specific set of standards for point-of-sale vendors, standards as to what must be in this technology and what the vendor must do to be in compliance with PCI DSS. That is one of the big business initiatives for us right now.