10 Years of PCI DSS: What Has it Really Achieved?
Can you remember what you were doing a decade ago? A lot can happen in 10 years.
Well, you were probably running Windows XP on your PC, your mobile phones may have had a revolutionary new camera (smartphones were two years away), and you may have switched to Google as your primary search engine.
You may have started looking at Facebook to replace your MySpace page which currently dominated your social media world. It was also the year that a lot of card data breaches were hitting the headlines. Companies were storing credit card holder data unnecessarily, along with passwords and other personal data, using it for loyalty programs and leaving the data open to criminals. Card data passing through companies was not encrypted, and often transmitted through unguarded channels. Web infrastructure attacks were becoming rampant. Attackers were finding and exploiting vulnerable machines, planting keystroke loggers, and Trojans on them and then use that malware to steal payment card details.
And while the consumer became the growing victim to fraud, the banks and credit card companies were left holding the bill.
A group of the five largest card issuers got together and formed the Payment Card Industry Security Standards Council, as they had realized that a) greater efforts needed to be made to protect cardholder data, and b) merchants were struggling to comply with 5 separate security policies – having a single uniform policy was much more sensible.
Hence the Payment Card Industry Data Security Standard (PCI DSS) was created. The industry and merchant community finally had a consistent and clear standard to work towards, to secure payment information. Or did it?
A Rocky Start
Things didn’t start off too smoothly for PCI DSS. The Standard came under heavy criticism for a lack of consistency in audits and assessment processes by qualified service assessors. Merchants all over the world were failing to comply and many called for the PCI SSC to lower the bar.
But the PCI SSC reviewed the approach and by the end of 2007 had created a much easier method for merchants to achieve PCI compliance. This was quickly followed by the PA DSS (Payment Application Data Security Standard) which helps developers code secure payment applications.
So what have been the main achievements of PCI DSS over the last decade?
Despite being perceived by many organizations as a financial and resource burden, PCI DSS has improved payment security awareness across board rooms. It is no longer confined to security or risk teams and is a fundamental regulation that is taken extremely seriously.
Most importantly, it has raised awareness of the risk posed by the unnecessary storage of payment card information and the relevant impact of this data being stolen. Organizations were fairly oblivious to how card holder data impacted their organization directly.
In the event of a breach, the potential fines for non-compliance to the Standard are significant. Large enough to urge huge investment in time and in money to ensure Standard requirements are met. The Standard isn’t law, but the agreement you sign with the issuer is, and you will feel the pain if you are caught out.
Technology has also evolved through encryption and tokenization. This means it can protect the data early as possible within the transaction process so it will not expose the information to potential criminals as it traverses corporate IT systems.
So what of the future – the next 10 years?
Whether the Standard is around in 10 years or not really depends on how payments are made and how the ecosystem evolves. If there is still sensitive data in transit or at rest which needs to be protected, then nearly all of the PCI DSS controls to protect that information will remain.
The question should be: what will a payment account number look like in 10 years? It may be dynamic information, in which case the PCI DSS will need to focus on how that dynamic information is created, how authentication of the transaction occurs and other important aspects of a payment transaction. Less focus will be necessary on the merchant and processing environments.
The Council is already discussing these issues, and many other payments technologies which are today in their infancy.
Until the payment industry finds a way to remove payment information entirely from a transaction, whilst still retaining a secure and seamless process for the customer, the PCI DSS will still have a place.
Leading companies around the world rely on Eckoh.
Eckoh's solutions solve the immediate and longer term economic impacts for PCI compliance, protecting businesses and their customers' card holder data in a cost effective and unique manner.
CallGuard can de-scope all or parts of the call center environment from PCI DSS. It’s extremely flexible and fits in seamlessly to complement existing PCI DSS compliance, fraud risk and security measures by using DTMF masking or tokenization technology.
For expert advice, get in touch today on 01442 458 300.By: Nicky Hjerpe
Does it feel like it's panto season in your contact centre every day? If so,…
We've all watched on in horror ... as an out-of-control child creates havoc at a…