learn unix and linux commands

  Credit Card Brands Lack of Communication

Asmost of you in the world of PCI already know MasterCard once againthrew another grenade this past week with several PCI enforcement rulechanges, this article is not about those changes (see MasterCards 2 Step)for that discussion. I want to discuss the card brandscommunication/dissemination of PCI rule changes, or lack thereof! Iknow this is an area we are all in agreement.For examplewhen any of the card brands do make rule changes in how they enforcePCI, they do not seem to have a defined process on how they disseminateit, just throw it up on some small corner of our website and everyonewill figure it out approach. I only found out about it the day it cameout on MasterCard's PCI merchant web page only because I have many newsalerts (Google, ect.) and monitoring applications that watch for thesethings.Prior to bringing this significant change to my upper management, Iwanted to get as much clarification on the changes and how theyaffected my organization as possible. Of course when contacting myacquiring bank they had no idea about the change, let alone aninterpretation of it. And of course having discussion with colleaguesin my field, they were in some cases as much in the card as I was, thisis of course with the exception of one (you know who you are).

After getting some clarification from one of closest professional friends “the PCI Guru“I decided to take this information to my director, after speaking tosome of the changes I was asked to provide supporting links and/ orofficial documentation that could support all of my statements. Andother than MasterCard's website (with the horrible layout and merchanttable) the only other reference that I could show was a another blog.

My director found it odd this information was not on the PCI-SSCwebsite, our acquiring banks PCI portal (which I think just redirectsto the PCI-SSC site) or any other official website at all. And thatMasterCard's website went into little detail about the changes.

This takes me into my main discussion of why in 2009 5-6 years afterPCI was born, can't the card brands have some sort of formal definedprocess to manage the dissemination of PCI enforcement rule changes. Iunderstand they all act independently (particularly now with MCco-driving the PCI bus now with VISA) and that's cool, but how hard isit to create one.

Case in point to my knowledge the card brands when making anenforcement rule change have never given a warning ahead of time, orexplained the changes in great detail, many times leaving  unansweredquestions that the QSA's, banks and PCI compliance officers have tofigure out as the months go by.

I would like to see some agree upon (heck they could do thisindependently, just do it) process on how these enforcement rulechanges are communicated. For example I think that both acquiring banksand the QSA firms should be made aware of these changes first andnon-publicly and in the case of the banks by direct channels.

After a 30-60 day period where both the banks and the QSA's obtain aclear an accurate understating of these changes, through both dialogueand supporting documentation from the card brands, then the merchantsand service providers should be notified directly by their acquiringbanks. In my opinion that is the information communication flow I wouldlike to see and think would serve us all best.

With regards to posting of this information once it is public; firstI would like to see all the credit card brands build well defined PCIportals on each of the websites that contain their own specificsupporting documentation on their rules with regards to PCIenforcement. Second and I would like to see the card brands work withthe PCI-SSC website and have links on the PCI-SSC website that wouldpoint to the card brands individual web portals (come on how hard is itto keep a link up to date!

Hopefully one day I will click my heals and PCI RSS feeds willsuddenly appear on the card brands websites . . . . . . ok it didn'twork!).





More...