Credit Card Brands Lack of Communication
Prior to bringing this significant change to my upper management, I
wanted to get as much clarification on the changes and how they
affected my organization as possible. Of course when contacting my
acquiring bank they had no idea about the change, let alone an
interpretation of it. And of course having discussion with colleagues
in my field, they were in some cases as much in the card as I was, this
is of course with the exception of one (you know who you are).
After getting some clarification from one of closest professional friends “the PCI Guru “
I decided to take this information to my director, after speaking to
some of the changes I was asked to provide supporting links and/ or
official documentation that could support all of my statements. And
other than MasterCard’s website (with the horrible layout and merchant
table) the only other reference that I could show was a another blog.
My director found it odd this information was not on the PCI-SSC
website, our acquiring banks PCI portal (which I think just redirects
to the PCI-SSC site) or any other official website at all. And that
MasterCard’s website went into little detail about the changes.
This takes me into my main discussion of why in 2009 5-6 years after
PCI was born, can’t the card brands have some sort of formal defined
process to manage the dissemination of PCI enforcement rule changes. I
understand they all act independently (particularly now with MC
co-driving the PCI bus now with VISA) and that’s cool, but how hard is
it to create one.
Case in point to my knowledge the card brands when making an
enforcement rule change have never given a warning ahead of time, or
explained the changes in great detail, many times leaving  unanswered
questions that the QSA’s, banks and PCI compliance officers have to
figure out as the months go by.
I would like to see some agree upon (heck they could do this
independently, just do it) process on how these enforcement rule
changes are communicated. For example I think that both acquiring banks
and the QSA firms should be made aware of these changes first and
non-publicly and in the case of the banks by direct channels.
After a 30-60 day period where both the banks and the QSA’s obtain a
clear an accurate understating of these changes, through both dialogue
and supporting documentation from the card brands, then the merchants
and service providers should be notified directly by their acquiring
banks. In my opinion that is the information communication flow I would
like to see and think would serve us all best.
With regards to posting of this information once it is public; first
I would like to see all the credit card brands build well defined PCI
portals on each of the websites that contain their own specific
supporting documentation on their rules with regards to PCI
enforcement. Second and I would like to see the card brands work with
the PCI-SSC website and have links on the PCI-SSC website that would
point to the card brands individual web portals (come on how hard is it
to keep a link up to date!
Hopefully one day I will click my heals and PCI RSS feeds will
suddenly appear on the card brands websites . . . . . . ok it didn’t
work!).
2021 fullz cc fullz free 2021