“The PCI Security Standards Council touches the lives of hundreds of millions of people worldwide. A global organization, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe.” – PCI Security Council
People use credit cards to make purchases online, over the phone and in stores for personal and business reasons, amounting to billions of dollars in transactions across the globe. Their cardholder information is protected by regulations imposed by the Payment Card Industry (PCI), which acts as a risk assessment exercise for organizations that process financial data. This year marks the 10th anniversary of the formation of the PCI, so we thought it to be an appropriate time to review its progression.
The PCI Data Security Standards (DSS) were introduced in 2006 as a joint effort of the five major credit card companies, Visa Inc., Discover Financial Services, American Express, JCB International, and MasterCard. PCI DSS regulations are intended to protect financial data through the course of a transaction, from point of sale to transfer and finally storage of the information. Every organization involved in payment processing, payment data storage, or payment data transmissions must comply with the current PCI DSS. As of today, PCI DSS version 3.2 governs all payment card security activities.
“When the PCI Council first started 10 years ago, we had the goal to establish the first aligned global standard for payment card data security and create awareness of growing attacks. Today, that challenge has become more complex as innovation has provided a wealth of new opportunities to use and accept payments,” said PCI Security Standards Council Chief Technology Officer Troy Leach, speaking at the annual PCI North America Community Meeting in September.
The PCI council reviews and updates its standards to incorporate the latest threat information and best practices for data security. Understanding the current state of payment card security helps businesses plan, minimize risks, and maintain compliance in a competitive and changing digital landscape.
The History of the PCI DSS
The Payment Card Industry Security Standards Council was originally formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International on September 7, 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.
According to the Payment Security Council, “PCI DSS specifies 12 requirements entailing many security technologies and business processes, and reflects most of the usual best practices for securing sensitive information.”
The PCI DSS regulations have six goals:
- Build and maintain a secure network
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
In response to industry changes and an increase in cybercrime, the PCI makes regular updates to the data security standards used to protect consumer financial information. However, while many organizations fight to keep up with evolving standards, major data breaches such as the one Yahoo announced in September 2016 are raising questions about the efficacy of standards compared with holistic and individualized security policies.
Since the PCI SSC released version 3.0 in late 2013, the standard has attained mature status within the marketplace. Subsequent updates have been made to clarify existing measures and add information regarding the changing cyber threat landscape.
Pros and Cons of Current Standards
Many companies accept PCI DSS as a part of their compliance framework. As the number and severity of cyber attacks increase, reviewing the perceived pros and cons of the standard helps businesses recognize the benefits of proactive security measures. Consider the strengths and weaknesses of the current PCI DSS (many of which apply to the larger cybersecurity landscape).
- The PCI DSS creates a solid, consistent framework for cybersecurity practices. With clear outlines governing data storage, addressing vulnerabilities, and financial institution reporting, the standard sets strong practices for all security-related activities. Frequent updates help organizations maintain relevant security practices.
- PCI DSS applies to directly associated businesses as well as third-party service providers. In addition to point-of-sale providers and payment processors, third-party data handlers, app providers and MSPs may see and manage sensitive payment information.
The latest version of PCI DDS, version 3.2, requires third-party solutions and service providers to conduct regular reviews and test their own security measures to maintain compliance. This will secure another vulnerable endpoint for payment card data handlers, at least in theory.
- Mandatory vulnerability audits every three months provide a baseline for security. The standards provide consumers and major card providers with some peace of mind. A card handler must perform internal audits on at least a quarterly basis and undergo a full review once a year.
- Organizations of all sizes struggle to keep up with frequent changes and nuances of the standards. Small businesses do not have the resources to manage manual processes, and large enterprises must often manage standard compliance across geographical locations and a number of integrated systems. Manual compliance tasks take up valuable time and resources that many organizations just can’t manage.
- PCI DSS compliance does not guarantee protection. Spending hours and dollars to maintain compliance with the industry standard will not remove the threat of a breach 100%. Companies must continue to manage their own comprehensive security policies as part of a risk management strategy.
- The standard provides best practices for security, but not for security practices and management. Often, security vulnerabilities appear in the management of people and practices—not within the system itself. If departments within a business cannot work together, they contribute to vulnerabilities rather than protect them. You will still need to hire security and compliance experts to help train your team correctly.
As a starting point, the PCI DSS do an excellent job of establishing payment card data handling security guidelines. As a security framework, however, the standards could be improved upon. It’s up to you to interpret and implement these standards to the best of your ability to protect your organization and the privacy of card holders.
The current PCI DSS creates challenges for those who must maintain compliance, but sets the stage for strong security practices. The reality is that 91% of business organizations are vulnerable to data security threats, and the bottom line is that being compliant does not eradicate risk. Cybersecurity requires ongoing, proactive audits, updates, and optimizations. Consider the PCI DSS as an opportunity to get ahead of the game and integrate security practices into the core of your business model.
At OnRamp, we understand the technology that works to meet PCI DSS’ compliance requirements and can guide you through how each requirement maps directly to an IT solution. If you want to learn more about PCI compliance, OnRamp has a number of resources to help you stay compliant.
Additional Resources on This Topic:
PCI DSS Version 3.2: What You Need to Know
The history of the PCI DSS standard: A visual timeline
Vital Points of Failure to Address Immediately for PCI DSS Compliance—Part One
Vital Points of Failure to Address Immediately for PCI DSS Compliance—Part Two