NetSPI Blog

Posts Tagged ‘PCI Community Meeting Prague’

PCI in Europe Today

Deke George | Tuesday, November 3rd, 2009

I attended the 2009 PCI Community meeting in Europe last week. Since this was a feedback year, there wasn’t a significant amount of new content; however, there were some interesting points regarding PCI adoption in Europe.

It’s been discussed quite frequently that the Europeans are behind North America in implementing PCI, especially at the merchant level. In my experience and based on the discussions at the conference, I’d say this is true. The consensus at this year’s conference was that this situation is beginning to change.

The traditional arguments against adopting the PCI DSS, such as those surrounding increased security due to Chip and PIN, elicited a fair amount of eye rolling even from other Europeans in the audience. One of the other core reasons for slower adoption is that country-by-country legislation already covers much of what PCI does (France and Germany were the two most cited examples). Interestingly, U.S. state-based legislation was cited as a similar and perhaps more stringent (and therefore more effective) means of securing credit card data. In fact, one of the attendees cited my home state’s legislation, the Minnesota Plastic Card Security Act, which, in my opinion, has had very little impact on organizations that do business in the state.

I think that there are three key items that will drive PCI’s adoption in Europe. First, the Europeans will need to understand that, while very effective for face-to-face transactions, Chip and PIN does not protect card not present (CNP) transactions. As more business is done online, organizations are going to need to deal with the issues that PCI addresses and that Chip and PIN does not. Second, and perhaps most important, acquiring banks will need to enforce the PCI standard. This was a key topic of discussion at the conference and one that appears to still be open. Finally and highly related, the card brands in Europe are going to need to support the PCI standard. The commentary that I heard at this meeting was that this appears to be happening. If that is the case, it should only be a matter of time before the acquiring banksand therefore merchantstake PCI as seriously in Europe as they do in North America.

Permalink | Email the Author

Tags: , ,

European PCI Community Meeting: Some Impressions

Lee Buttke | Monday, November 2nd, 2009

The trip back to the U.S. from the European PCI Community Meeting in Prague took about 12 hours. For someone who lives and breathes PCI, that equals one hour for each of the 12 requirements of the Data Security Standard (DSS). Here are my impressions of the conference.

First, the PCI Security Standards Council did another great job of bringing the payments community together to discuss current topics and provide feedback regarding the DSS. Second, I met a lot of interesting people and made numerous contacts during the networking sessions.

Third, the meetings were well attended and provided valuable information. I was able to discuss the current state of compliance with European representatives from acquirers, card brands, merchants, service providers, and fellow QSAs. One thing that stands out from these conversations is that the U.S. remains in the forefront of payments security.

Fourth, from a QSA or practitioner point of view, two topics of special concern emerged during the open-microphone sessions: issuers and logging. These two areas were also brought up at the North American Community Meeting in September. So the feedback from the community on both sides of the Atlantic indicates a need for more clarification and guidance on how organizations that are classified as issuers need to comply, and for more guidance on how to review logs.

Fifth, if you ever have an opportunity to visit Prague, make sure to do so. The city is amazing, and the Czech people are very hospitable to visitors. It was a perfect venue for the European PCI Community Meeting.

Permalink | Email the Author

Tags: ,