Earlier this week I posted some thoughts I had about the newly released draft. Unfortunately, I couldn’t give you guys the actual analysis that both I and folks in my company performed (though, if you become a customer of my company, and are already a PO I am certain we can present something to you). Why? Because the Council still is treating this as a pay-to-play community without thinking about the broader impact to the ecosystem.

Ski Mask, by Dave Wasson

Ski Mask, by Dave Wasson

The folks who frame the standard are some smart, experienced people. I’ve met and worked with all of them in varying capacities, and their job is incredibly challenging while being completely thankless. If you think about how things work in their world, they are guaranteed to anger someone virtually every single day. I have a great deal of respect for that team because they do a job that most people would never want to do.

Part of the vitriol aimed at the framers is, in part, because they lack recent experience in the operational impact that the standard has to a company and the ecosystem. We’re all trying to improve the security of payments and the ecosystem that enables them; I really do believe this. Having recent first hand knowledge would remove some of the challenges of developing the standard.

But this is really not that big of an issue in the long run if you have the right process. Once changes are proposed, they should be circulated to the largest audience possible. Think about how NIST generates their SP 800-series computer security publications. First they announce an intent to publish, then they build drafts and circulate them for public commentary, and finally its incorporated into a final document. You don’t have to pay; you just go to the website. NIST even provides a standard form for submitting feedback. NIST has limitations and the Council does do some things better like stick to deadlines (for the most part). What I’m suggesting is to take the best of both worlds and publish drafts early, often, and make them freely available to everyone.

Imagine the amount of constructive feedback the framers could directly receive through public discussions of issues. Instead, they operate in a partial vacuum (partial because only POs and other stakeholders have access to the documents, and even that is not widely distributed early in the process) and make decisions on the content of the standard for the larger community without any real stake in the end result. For example, actions taken (right or wrong) from their choice of language in the standard do not impact them directly because they don’t have to implement anything.

There - I Fixed It, by dierken

There – I Fixed It, by dierken

Another reality the Council is begrudgingly facing is that of new technologies. Business, technology, and the hacks that target them both are moving at speeds that massively outpace the standard. Our executives are handing us edicts to embrace emerging technology to keep pace with competitors. I’m not suggesting the standard should include requirements for every technology as I am in favor of trying to make the standard universally applicable. But what would be helpful is some sort of linkage to baseline security standards for these technologies to allow them to operate securely.

So my call to action, if you feel that this impacts you, is to kindly approach your Council representative to ask for open access to the Standard in the future. If you continue to choose to be an in-scope entity based on the way you process, store, or transmit cardholder data, you should be at the front of the room with your concerns. If you choose to outsource (which is not such a bad idea these days), then blissfully fade to the back.

We can skip the rant about the slow moving standards that sit behind the times and simply just ask for two things:

  1. Let’s make the Standards freely available to all during development.
  2. Provide better linkage from the standard to emerging technologies (and please don’t tell us to NOT use them).

The comments are open below, and I know some of you have strong opinions!

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: