The PCI Security Standards Council is working on clarifying, enhancing PCI DSS 2.0

Linda Musthaler
By | September 12, 2012

Posted in: Network Security Trends

The Payment Card Industry Data Security Standard (PCI DSS) was released at the tail end of 2004. The intention of the standard is to create an additional level of protection for card issuers like MasterCard and Visa by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) is the body that oversees the advancements of the security standard.

Like any technical standard, it has taken time for merchants and the acquirers and processors that handle sensitive cardholder data to fully understand the guidelines of the standard and to attempt to comply with it. To date, merchants of all sizes have spent serious money to implement the necessary security measures. According to the National Retail Federation, between 2004 and 2009, U.S. merchants collectively spent in excess of $1 billion on compliance with PCI DSS as part of their security programs. All that money and more has been invested, and the efforts have done nothing to boost the bottom line of the merchants involved. Nevertheless, compliance with PCI DSS is a necessary evil if merchants want to accept credit and debit cards—and most of them do for the convenience of their customers.

As we all know, compliance doesn’t equal security. There have been numerous breaches even after merchants or acquirers/processors have been audited and found to be PCI compliant. Remember Heartland Payment Systems and RBS WorldPay? How about Hannaford Brothers? All were certified to be PCI compliant and yet they (and their customers) all suffered tremendously from very public data breaches.

PCI DSS may have its shortcomings, but it’s definitely a step in the right direction to improve security in the electronic payments value chain. PCI DSS has called attention to better security at a time when cyber thieves are targeting cardholder data because it is easy to monetize and can be so lucrative for them.

The current version of the standard, version 2.0, was released in October of 2010. Now the PCI SSC is considering updates to the standard for a potential release in 2013. It’s important to revisit the standard every so often to ensure that recommended security measures are keeping pace with emerging threats.

The Security Standards Council is meeting this week (September 12-14, 2012), and one of the items on the agenda is to discuss clarifications about how merchants, acquirers and others should comply with PCI DSS. The Council solicited input about the standard and got responses from all around the world. Most of the comments seek clarification on terminology or specific requirements or prescriptive actions. More than half of all PCI DSS feedback was comprised of the following topics, which are getting attention this week:

Payment Card Industry Data Security Standard

Meanwhile, there’s a new training and certificatied at the third party POS device installers and systems integrators. The new Qualified Integrators and Resellers Program was created in response to recent attacks on merchants that could have been prevented if PCI requirements had been followed by systems integrators contracted to work on in-store payment systems.

Many people still question the effectiveness of PCI DSS compliance. After all, it’s a costly and time consuming endeavor for merchants with little obvious return on investment. However, in 2011 the Ponemon Institute published the report 2011 PCI DSS Compliance Trends Study  in which the authors write: “[A] key finding from this research is that there is a dramatic difference in the number of data breaches experienced by organizations considered compliant with PCI DSS and those that are not compliant. This is true for both cardholder data related incidents and general incidents.” Given the high cost of a data breach in the merchant or acquirer communities, we can conclude that PCI DSS compliance is worthwhile. And hopefully, compliance will become more straight-forward as the PCI SSC works on clarifying and enhancing the standard for all.

You May Also Be Interested In: