By the year 2000, cybersecurity threats were evolving at a record pace and an increasing number of data breaches were headline news. Online business and buying were on the rise, with smartphones fast becoming the access vehicles of choice.
In response to this global shift, some 15 years ago the payment card industry (PCI) established a set of data security requirements to ensure that all companies who accept, process, transmit, or store credit card information, including user cardholder data, do so securely.
Today, this Data Security Standard (DSS) is truly universal in scope. Applicable to all members of the payment card industry, it has proven effective in reducing the incidents of data breaches and cardholder data theft and loss in the industry.
The payment card industry is an enormous global community, whose constituents include:
The payment card industry is governed by the PCI Security Standards Council. The Council was founded in 2006 by recognized industry leaders American Express, Discover, MasterCard, Visa Inc., and JCB (formerly Japan Credit Bureau) International. These founding members share equally in the ownership, governance, and execution of the Council's work.
With a commitment to inclusiveness, the Council offers four levels of membership based primarily on transaction volume, and all members of the industry are encouraged to join the Council. A key benefit of membership is the opportunity to contribute to the ongoing maintenance and development of the PCI Security Standard, and to have a voice in the global community.
Over time, the Council has defined cohesive set of standards, and continued to evolve and refine them by welcoming feedback from this international community. This enables the Council to assist the two segments of this community by:
Full compliance with the Data Security Standard helps to protect more than 374 million cardholder accounts in the United States alone.
It is important to note that the Council itself does not enforce compliance with the Data Security Standard. This is done by individual payment brands (i.e., the card companies), such as American Express and Visa to name just two. Individual financial institutions who process data, such as Bank of America to name one of many, may also enforce compliance.
As marquee members of the Council, the individual card companies have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for each of their data security compliance programs, and to validate compliance among their various constituents.
Further, the card companies can impose fines on both merchants and financial institutions for non-compliance or its consequences. Financial institutions are responsible for enforcing compliance among the merchants they serve and can also determine penalties for merchant non-compliance.
Generally, fines by the card companies to their banks are not publicized and are not required to be reported outside this self-governing industry. In turn, the banks generally pass their fines along to their merchants in the form of increased transaction fees or contract terminations.
The Council’s mission is to enhance the security of global payment account data by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.
There are six fundamental principles the Council promulgates throughout the industry in support of payment account data security. As you will see, they are not onerous or unusual and are based on security best practices established across numerous industries in recent decades. These six principles are:
Stemming from these principles, 12 requirements provide a clear roadmap for securing payment card data from breach, loss, or theft, and thus becoming PCI DSS compliant. In order to achieve compliance with the Data Security Standard, a stakeholder must:
It seems straightforward and clear enough. And companies who maintain extensive IT teams and robust security programs generally have no difficulty implementing the PCI security protocols. But is it that straightforward for all stakeholders? Can all members of the industry, both large and not so large, achieve compliance? Are they required to do so?
It is not unusual to find members of the payment card industry who believe that compliance is not required, simply because PCI DSS is not part of federal law or regulation and is not governed by a federal regulatory agency.
While the above is true, all industry members are in fact required to comply. The PCI Data Security Standard globally applies to any company that accepts, stores, processes, or transmits cardholder information. The aim is to secure the entire supply chain and network—and this includes all merchants, all financial institutions, all POS equipment vendors, and all hardware and software solutions providers who are involved in any way with the handling of cardholder data.
There is no shortage of vendors who offer a selection of hardware, software, and services for PCI-compliant cardholder data security. And it’s tempting to hope for a single vendor who can meet all 12 requirements, or to offload your responsibility for PCI compliance to an expert third party.
However, read through the 12 requirements carefully and you will realize there is no single solution that can possibly address all of them. There are internal actions that only you can take, and internal security controls only you can implement, for example. As a member of the payment card industry, you must accept responsibility for implementing a holistic security strategy that meets all 12 requirements in addition to addressing the overall intent of the Data Security Standard. While this may not be easy, there is a path and assistance is available.
Indeed, digesting six principles and understanding and implementing the 12 security requirements seems overwhelming, especially when you’re running a business, wearing many hats, and focused on profits. But the fact is that your customers count on you to maintain effective security for their personal data. And they assume you do.
There’s no need to feel overwhelmed. Remember that the journey of a thousand miles begins with a single step. One way to take that vital first step is to hire an experienced, credentialed security firm to assess your security, and point out all of the gaps between your current security and the 12 requirements. Do your homework to be certain they are experienced in PCI DSS assessments, and able to recommend compliant products and services that can help you effectively and efficiently achieve PCI DSS compliance. Once you get started, the rest will not be difficult. And you’ll sleep better knowing that you’re not jeopardizing your customers’ data.
Complying with federal regulations, laws, and universally accepted standards comes at a price, of course. Every business, of every size, has expenses directly and indirectly related to complying with regulatory and legal requirements. Accounting expenses related to filing proper IRS tax returns. Administrative expenses related to complying with EEOC requirements. It’s a long list, and likely to become longer still, in this digital age.
Implementing PCI DSS must become an integral part of your business plan, your basic data security strategy, and your budget.
The family-owned restaurant on Main Street, the independent hardware store down the block, the dry cleaner with three locations in town—these and other small merchants take credit card payments, provide receipts, and send transactions to their banks for processing. Regardless of volume, these merchants are all governed by PCI DSS requirements.
This is why the Council recognizes four different levels of merchants, primarily based on transaction volumes. And why it offers reasonable compliance alternatives to accommodate each level. The reality is that the scale and impact of a security violation or data breach at a small merchant is likely to be less severe than at a large chain retailer or regional bank.
A Level-4 designated merchant, for example, is able to attest to a basic level of PCI DSS compliance at virtually no expense. Instructions and forms are available in the PCI library. The simple process involves completing a Self-Assessment Questionnaire, completing and proving you have passed a security vulnerability scan or penetration test, completing an Attestation of Compliance, and then submitting this documentation to your merchant bank.
Achieving compliance with the PCI Data Security Standard is vitally important for all members of the payment card industry, as well as for the consumers and businesses who use credit cards to pay for goods and services. Substantial guidance is available to assist all stakeholders in securing their card data environments, including hardware, software, and systems, against unauthorized intrusions, data breaches, and security violations.
Myths surrounding PCI DSS compliance cause some stakeholders to resist adopting the Data Security Standard. However, the consequences of non-compliance can be far more burdensome than the cost of implementing the 12 security requirements. With accommodations for smaller merchants, the PCI Council has made it easier for all members of the payment card industry to comply with the universal Data Security Standard, and thus secure card data for cardholders worldwide.