Raising the Bet: A National Payment Security Standard

Written by David Taylor
May 7th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

In the high stakes poker tournament that is the payment processing industry these days, a group of merchants and payment application vendors has raised the bet. Not content to just advise the players (by joining the PCI SSC), a group of merchants and payment system vendors have decided to take a seat at the table by launching their own payment security standard — an American National Standard, under the auspices of the ASC X9 standards committee.

So, does one national standard beat two pairs of industry standards? Let’s examine the players and some relevant history:

  • From PCI DSS to a Full House of Industry Standards
    From its humble beginnings as an effort to rationalize and harmonize the Visa, MasterCard and AMEX security guidelines and turn them into a single standard, the PCI SSC continues to raise the bet by launching more and more standards to address different aspects of the payment security business: Payment application security (PA-DSS), PIN entry device security (PCI-PED), Hardware security modules (PCI HSM), Kiosk and ATM security (PCI UPT), etc.

    Even though these standards are emerging through a participatory process, some merchants and vendors clearly see this game as “rigged” — run by the card networks, enforced by the card networks, with fines imposed by the card networks. The merchants and vendors may be allowed to offer advice; they are not “players” in the game. But now this could be changing.

  • We Raise You a National Standard
    The Merchant Advisory Group (a grass-roots payment-focused consortium of merchants from across the airline, retail, hospitality, communications and other industries), working in conjunction with several major players from the POS application business, have decided they want their own seat in this poker game, and have decided to raise the industry-specific standards of the card brands by proposing a national standard, through ANSI’s ASC X9 committee.

    The focus of this standard is “end-to-end encryption” from the POS all the way to the processor and through to the acquirer, which the proposed standard identifies as the “most vulnerable” part of processing payments. Adopting this standard would, one assumes, mean changes for the acquiring banks, something the PCI DSS requirements have not included, as they have been focused on protecting card data on the merchant premise (which, merchants argue, they never wanted in the first place).

    By pushing the security mandate “upstream” to the banks, the proposed encryption standard is a clear “in your face” response to the card networks and the PCI SSC. At the same time, such an initiative will ultimately need the cooperation of the card networks and the banks, since they’re members of the ASC X9 committees, so I expect this will actually be a relatively civil game of poker. But, for now, it’s important that merchants, service providers, technology providers (especially encryption vendors) be aware of this effort, even though this is going to be one long poker tournament.

  • How Long Will This Last? — A History Lesson
    The short answer is “years.” The proposed ASC X9 standard optimistically suggests they will get a standard published 30 months after they get approval to actually launch the effort. But I suspect that estimate does not include an allowance for the politics of trying to launch a standard that is both competitive with and cooperative with the PCI SSC’s efforts.

    Historically, the national and international standards process takes much longer than industry standards, simply because of the scope and bureaucracy of standards-making. It’s also important to remember that not all standards succeed.

    For example, some may remember the SET (secure electronic transaction) protocol, which was a precursor to PCI DSS back in 1997. Even older fogies may also remember that there were dozens of industry-specific EDI (Electronic Data Interchange) standards that gave way to the ANSI ASC X12 standards. I’m not suggesting the PCI DSS will eventually be replaced by ANSI X9 standards, but I am pointing out that this is going to be a very long poker tournament, since we haven’t yet heard from the international standards making bodies, which are likely, at some point, to pull up a chair and enter the payment standards making game, just as they did with EDI (UN-EDIFACT), a United Nations standard.

  • The Bottom Line
    So, what the lesson here? Do not assume that you are even close to “done” just because you filled out a form and are, today, PCI compliant. There’s a lot of new PCI standards coming from the SSC, there will likely be new ANSI standards from ASC X9, and perhaps more. The poker game continues. Get set for an all-nighter. Of course, I’d love to have you visit and join the PCI Knowledge Base so you can search our research database. In addition, if you want to discuss this topic, send an E-Mail to

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.