Last week, we published an overview of ISO and X9, as part of a series examining the organizations that maintain the standards with some of the greatest impact on how the payments industry runs. If you missed last week’s article, Part I of Standards and specification bodies that matter to payments is available here. Next, we take a look at PCI and W3C.
PCI
What is it and what does it do? PCI, yes, is an actual acronym. PCI stands for Payment Card Industry which isn’t very meaningful by itself because the organization is actually the PCI Security Standards Council (SSC), so it is a double-acronym. PCI SSC “is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide”1 and is without a doubt the reigning champion for creating acronyms. PCI develops and maintains a number of standards, requirements, and testing procedures for account data protection including:
- data security (PCI DSS),
- payment application data security (PA-DSS),
- PIN transaction security for hardware security modules (PTS HSM),
- PIN transaction security for point of interaction (PTS POI),
- point-to-point encryption (P2PE), and my personal favorites,
- contactless payments (CPoC) and
- software-based PIN entry (SPoC, Live long and prosper!) on
- commercial off-the-shelf devices (COTS)
With PCI, even the acronyms have acronyms! In addition to the development of the standards and other documentation, PCI SSC also qualifies assessors to validate compliance with their standards and requirements, maintains listings of approved products and solutions, and provides training on many of its programs.
Who is it? American Express, Discover, JCB, MasterCard, and Visa founded PCI SSC. These Founding Members have an equal share in ownership, governance, and execution of PCI’s work. An Executive Committee, composed of representatives from the Founding Members and Strategic Members, sets policy for PCI.
- Strategic Members are other multinational “acceptance marks” which currently equates to other card brands. As of this writing, UnionPay is the only Strategic Member listed on the PCI website.
- A Board of Advisors represents and is elected by Participating Organizations (members consisting of other organizations in the payment industry including some merchants). The Board provides input and feedback on the development of the PCI standards, but the Board does not have any voting rights. This means while it can make suggestions, those suggestions may not be adopted.
- Strategic Regional Members are associations that represent national payment schemes at a regional level and Affiliate Members that are regional or national organizations which develop and encourage adoption of standards related to the processing, storage, and transmission of cardholder data.
How does it work? A Management Committee made up of members from the Founding Members, Strategic Members, and employees of PCI steers the work of PCI. This Management Committee maintains the Council’s technical work products including the PCI standards, forming, and managing Working Groups, Special Interest Groups and Task Forces, managing the Council’s day-to-day operational functions and advising the Executive Committee on corporate and operational matters. A Senior Leadership Team, comprised of Council employees, manages day-to-day activities and reports to the Executive Committee.
Working Groups have primary responsibility for developing the PCI standards and are comprised of Founding Members, Strategic Members and Affiliate Members.
Special Interest Groups (SIGs) are focused on challenges related to the standards that impact payment security in order to provide clarity on specific requirements, assess the function of the standards within specific industry verticals/environments or raise awareness of the standards. SIGs are created by a vote of Participating Organizations, Strategic Members and Affiliate Members.
Task Forces provide advice on standards and may participate in drafting standards. Task Forces are formed from Participating Organizations.
Why do we care? PCI SSC is governed by the brands and its purpose is to create standards which must be maintained by the merchants and acquirers who can only make suggestions regarding the rules. PCI does not create standards which issuers and networks must adhere to regarding payment security and PCI is not responsible for enforcing compliance with their standards. Enforcement is left to the payment brands and acquiring banks. The global card brands have all adopted the PCI standards and compliance with PCI standards is required as a minimum level of compliance. However, each brand and acquirer has their own compliance program in addition to PCI’s program. PCI can and will assess non-compliance penalties for failure to comply with PCI standards, which can include penalties and fees that are passed through to the merchant.
W3C
What is it and what does it do? W3C is an acronym that cleverly uses a number to represent a recurring letter because “W3C” rolls off the tongue much more easily than “WWWC.” W3C stands for World Wide Web Consortium and is “an international community where Member organizations, a full-time staff, and the public work together to develop Web standards.”2 The W3C standards allow for developers to build rich interactive experiences available on any device. In addition, W3C has the goal of creating a “Web of data” so systems supporting trusted interactions over the web can be developed and allows computers to do more useful work with that data.
Who is it? W3C was founded in 1994 by Tim Berners-Lee along with CERN (Conseil Européen pour la Recherche Nucléaire) and is supported by DARPA (Defense Advanced Research Projects Agency) and the European Commission. In what is not a coincidence at all, Tim Berners-Lee invented the World Wide Web in 1989. W3C is a member organization open to individuals and all types of organizations (including for-profit, not-for-profit, other member organizations and even certain types of projects!). There are currently over 460 members, including MAG. Administratively, W3C is managed by the “Host Institutions” of MIT, ERCIM (European Research Consortium for Informatics and Mathematics), Keio University and Beihang University. A Director and CEO lead the W3C staff (many who work for one of the Host Institutions) and a management team allocates resources and conducts strategic planning. An Advisory Committee made up of one representative from each member organization reviews plans and proposals and elects the Advisory Board and the Technical Architecture Group (TAG). The Advisory Board provides guidance on strategy, process, management, legal issues, and conflict resolution. The TAG is responsible for the stewardship of the Web architecture.
How does it work? The W3C Working Groups normally produce the W3C standards (which are called ‘recommendations’) and other deliverables (technical reports, test suites, etc.). Working Groups are made up of representatives from member organizations. The W3C Team (Director, CEO, W3C paid staff, unpaid interns, and W3C Fellows) organizes and manages the activities of the Working Groups. The standards are developed based on consensus of the membership, the Team, and the public. The W3C Process is followed to promote quality and fairness. A charter is created for each group that defines the group’s mission, scope, duration, deliverables, and other elements of the group.
Why do we care? There are a few W3C groups that have a direct impact on payments; the Web Payments Working Group (WPWG) and the Web Payments Security Interest Group (WPSIG). The work of these groups can impact how payments work on the web and how security and privacy are maintained. The Merchant Community Group works to improve the Web for people and organizations that sell goods or services or that accept donations online. In addition to the payments and merchant groups, the Verifiable Credentials Working Group maintains a specification to provide a tamper-evident credential on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.
Next week, at the conclusion of this series, we will discuss the FIDO Alliance and EMVCo.
1. https://www.pcisecuritystandards.org/about_us/
2. https://www.w3.org/Consortium/