Two longtime rivals in the credit card business are working together to create a private group that would set new industrywide security standards as early as the middle of this year, a MasterCard executive said on Wednesday.
Security officials from Visa USA and MasterCard International began quietly meeting early last year to discuss the best way to improve data security. But the high-profile disclosure of a security breach at CardSystems Solutions, a tiny payment processor that left 40 million cardholder accounts exposed to fraud, has given the effort a new push.
Visa and MasterCard executives have separately proposed the idea of an independent standard-setting body that could certify that member banks and merchants met certain guidelines and standards.
"We have had preliminary conversations, and it would be a good idea to have these PCI standards in an open standards body," said Chris Thom, MasterCard's chief risk officer, referring to the payment card industry rules.
"There is no reason that this shouldn't be done," he said.
At a Visa-sponsored conference in October, the company's chief executive, John Philip Coghlan, publicly floated a similar idea.
"We're exploring a plan to encourage all stakeholders in the payment chain to help create an objective, stand-alone entity to manage data security issues for the entire industry," he said.
At the time, MasterCard acknowledged it had had discussions with Visa about that type of approach but maintained it believed that the current standards were effective.
Still, the extent of the proposed agency's enforcement power, if any, is unclear, as is the potential makeup of the group's representatives.
And it is also too early to determine how the new security standards would differ from the payment card industry's existing ones, which outline a common set of rules with slight differences among the card companies.
Although Discover Financial and American Express do not appear to be participating in the discussions, Visa and MasterCard, whose cardholders are responsible for roughly 80 percent of all credit and debit transactions, may have the power to bring a new standard-setting body into being.
In the wake of the CardSystems data breach, Visa and MasterCard executives acknowledged that existing security standards were not always being followed. Even today, Visa said, only 15 percent of the 215 biggest retailers that accept its cards can certify they fully meet the payment card industry's current standards.
Data security specialists say fewer than 1 percent of the US' roughly 5 million merchants have even submitted a security plan.
In response, each of the major card companies has introduced a raft of new proposals, often with more public relations bark than actual bite.
Thom of MasterCard said that Visa and MasterCard executives have been working to revise the current rules to "build more flexibility into the standards without undermining" them.
He said the proposed changes could be introduced sometime in the first quarter, and the new open standards body might be unveiled sometime in the quarter after that.
Rosetta Jones, a Visa spokeswoman, however, said that the card company was still exploring the concept. Judy Tenzer, an American Express spokeswoman, said that they were not working on any independent standards apart from the existing ones.