View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. What Is
February 21, 2014updated 22 Sep 2016 11:08am

What is PCI-DSS and why does it matter?

Three things you need to know about the Payment Card Industry Data Security Standard.

By Amy-Jo Crowley

There has been plenty of talk about the concept of the Payment Card Industry Data Security Standard (PCI-DSS), especially after the recent data breaches at US retailer Target and Neiman Marcus, exposing credit card data on millions of consumers.

But what is PCI-DSS and why does it matter?

1. What is PCI-DSS?

Set up by Visa, MasterCard and other credit card organisations in 2004, PCI-DSS is a list of 12 requirements applied to all organisations or merchants to ensure they use appropriate security to store and protect credit cards against the misuse of personal information.

This requires companies to hold data in isolated areas within an IT network. It also states companies must encrypt all other card data, use up-to-date anti-virus software and a properly configured firewall, regularly monitor their security software and conduct security audits. A full list of standards can be found here.

Under the Data Protection Act, the Information Commissioner’s Office (ICO) and major credit card issuers may impose large fines on organisations or prevent them from processing transactions if they fail to meet these obligations.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

2. What is PCI-DSS V.3?

This is also the year in which the PCI-DSS Council put version 3.0 into effect, which aims to gear organisations from compliance to more comprehensive security approaches.

New requirements include steps to mitigate payment card risks posed by third parties, such as cloud providers and payment processors, with increased focus on education, awareness and security as a shared responsibility.

V2.0 will remain active until 31 December 2014 to ensure organisations have adequate time to make the transition.

3. Compliance

While PCI-DSS compliance is not enforced by law, businesses are often compliant through terms of a business contract that they have between the merchant, acquirer and other parties.

However, a recent report from Verizon, a major PCI-DSS assessment firm, found that only 11.1% of organisations that accept card payments complied fully with the PCI DSS in 2013.

The report suggests that data breaches are not a failure of security technology or of compliance with the PCI-DSS, but failure to implement appropriate measures.

The standards are also very vague, according to Lamar Bailey, director of security for R&D at Tripwire. They provide some guidelines but not a lot of specifics, he says.

"For example the standard says you cannot use weak encryption, but define which ones are weak and which are not, so the third party makes that decision and the decisions can vary, or the party being scanned can disagree with the auditor and ask for an exemption.

He added: "The second and bigger problem in my opinion is that many organisations think that if they can pass a PCI audit then their network is secure and that is far from the truth.

"The PCI audit is a good starting point but that is all – with all the data breaches at banks, stores, and financial institutions over the last year, it is obvious that being PCI compliant doesn’t make the organisation secure."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.