There has been plenty of talk about the concept of the Payment Card Industry Data Security Standard (PCI-DSS), especially after the recent data breaches at US retailer Target and Neiman Marcus, exposing credit card data on millions of consumers.
But what is PCI-DSS and why does it matter?
1. What is PCI-DSS?
Set up by Visa, MasterCard and other credit card organisations in 2004, PCI-DSS is a list of 12 requirements applied to all organisations or merchants to ensure they use appropriate security to store and protect credit cards against the misuse of personal information.
This requires companies to hold data in isolated areas within an IT network. It also states companies must encrypt all other card data, use up-to-date anti-virus software and a properly configured firewall, regularly monitor their security software and conduct security audits. A full list of standards can be found here.
Under the Data Protection Act, the Information Commissioner’s Office (ICO) and major credit card issuers may impose large fines on organisations or prevent them from processing transactions if they fail to meet these obligations.
2. What is PCI-DSS V.3?
This is also the year in which the PCI-DSS Council put version 3.0 into effect, which aims to gear organisations from compliance to more comprehensive security approaches.
New requirements include steps to mitigate payment card risks posed by third parties, such as cloud providers and payment processors, with increased focus on education, awareness and security as a shared responsibility.
V2.0 will remain active until 31 December 2014 to ensure organisations have adequate time to make the transition.
3. Compliance
While PCI-DSS compliance is not enforced by law, businesses are often compliant through terms of a business contract that they have between the merchant, acquirer and other parties.
However, a recent report from Verizon, a major PCI-DSS assessment firm, found that only 11.1% of organisations that accept card payments complied fully with the PCI DSS in 2013.
The report suggests that data breaches are not a failure of security technology or of compliance with the PCI-DSS, but failure to implement appropriate measures.
The standards are also very vague, according to Lamar Bailey, director of security for R&D at Tripwire. They provide some guidelines but not a lot of specifics, he says.
"For example the standard says you cannot use weak encryption, but define which ones are weak and which are not, so the third party makes that decision and the decisions can vary, or the party being scanned can disagree with the auditor and ask for an exemption.
He added: "The second and bigger problem in my opinion is that many organisations think that if they can pass a PCI audit then their network is secure and that is far from the truth.
"The PCI audit is a good starting point but that is all – with all the data breaches at banks, stores, and financial institutions over the last year, it is obvious that being PCI compliant doesn’t make the organisation secure."
