Payment Card Industry Digital Security Standards (PCI DSS) compliance is the cornerstone of financial services in the digital age. They allow companies of all sizes and industries to conduct business online, over the phone, as well as in person, by protecting the data that enables instantaneous and secure transactions. It is difficult to imagine how the world today would manage without PCI DSS in place.
HISTORY OF PCI DSS
In the early years of the 3rd millennium, as the rapid growth of the Internet began opening digital commerce worldwide, credit card companies read the writing on the wall. They knew that online sales were destined to grow and keep growing, fueling their own growth in the process. They also realized that fraud would grow alongside e-commerce, challenging consumer confidence in this brave new world.
So, in late 2004, the major credit card companies: Visa, MasterCard, American Express, Discover, and JCB (formerly Japan Credit Bureau) got together to create a solution. By unifying, they agreed on a joint set of industry standards that would define and govern how sensitive credit information would be handled in all merchant transactions throughout this new medium.
It quickly became apparent that the rapid evolution of developing technologies enabling Internet commerce would require standards to also be mutable, so on September 7, 2006, the group launched the PCI Security Standards Council (PCI SSC).
ABOUT THE PCI SSC
As an independent body, the PCI SSC administers and manages PCI standards, ensuring that they keep pace with technologies in protecting consumer information. In addition to keeping these standards up-to-date, the Council also provides comprehensive support for them, including specification frameworks, tools, measurement protocols, resources and collateral materials to aid organizations in safeguarding consumer information.
Interestingly, however, the enforcement of the PCI Digital Security Standards falls outside of the Council’s mandate. It remains up to the credit card companies and banks to ensure that businesses and merchants remain in strict compliance with them and levy fines when they fail to do so.
PCI DIGITAL SECURITY STANDARDS
The PCI DSS has been modified eight times to date. It is currently in version 3.2.1, with version 4.0 expected to arrive in the first half of 2022.
Although the Standards have gradually evolved over time, most of the framework has remained stable throughout. It is built around a set of 12 requirements that establish what businesses must do in order to comply.
They are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
While these standards may appear to be extensive and far-reaching, they mostly comprise fundamental best practices for digital commerce. Businesses may prefer to have a lower bar for compliance, but it is not difficult to see how most of the above standards protect both businesses and consumers.
Not only does PCI DSS compliance bolster consumer confidence worldwide, but it also establishes the foundation for corporate security protocols and lays the groundwork for compliance with other industry regulations, such as HIPAA, SOX, POPI, and others.
The PCI SSC also points out that the hazards of non-compliance with PCI DSS go far beyond the threat of fines. Fines vary from $5,000 to up to $100,000 per month depending upon the size (in volume) of the non-compliant organization and its violation. But the costs of a data breach can far exceed those figures. The costs of legal fees and settlements alone can be devastating, and the damage to a business’ reputation can be inestimably high.
Additionally, non-compliant businesses may lose their ability to accept credit cards, and will likely suffer substantial damage to their banking relationship, resulting in elevated rates and transaction fees. Thus, failure to comply with PCI DSS can make the cost of doing business substantially higher, potentially beyond the reach of some businesses.
MAINTAINING PCI DSS COMPLIANCE
To avoid liability, many larger enterprises appoint compliance officers, entrusting them with the responsibility of ensuring PCI DSS and other applicable regulations are properly met. Like other security personnel, compliance officers must remain vigilant and aware of potential threats, taking all needed precautions to avoid issues before they occur.
Compliance officers rely upon solutions such as CallCabinet to keep protected from potential threats and navigate the changing landscape of PCI DSS and other compliance standards. It can be very challenging to maintain compliance while growing and evolving your business, especially within the financial services industry, which is governed by multiple regulations as well as PCI DSS.
However, because of the crucial role played by PCI DSS compliance in global commerce, such efforts will remain necessary for the foreseeable future, even as standards evolve and change.