In 2000, the number of websites skyrocketed to 17 million, with more than 400 million internet users. Shortly after, a quickly increasing number of online stores came online. However, retailers weren’t the only ones who saw the potential of making money online, but fraudsters as well.
As online financial fraud began to rise, the leading credit card companies tried to introduce new security standards for their merchants in order to protect cardholder data. The first company to do so was VISA, with its Cardholder Information Security Program (CISP) released in 2001. Others, such as American Express and Mastercard, followed this initiative and created their own security standards.
However, the rate of online financial fraud was increasing and merchants were struggling to achieve compliance, confused by all of the different security standards. For these reasons, credit card providers convened to create a unified security standard, Payment Card Industry Data Security Standard (PCI DSS).
In this post, we’ll explore what the Payment Card Industry Data Security Standard (PCI DSS) is, why is it important, what the consequences are of being non-compliant, and also why being PCI compliant is not enough. In the next several posts in this series, we will discuss the payment workflow and how to go beyond PCI compliance to secure your organization.
What is PCI DSS
PCI DSS was introduced in 2004 as a collective effort of several major credit card companies to reduce online financial fraud. It provides a comprehensive set of best practices regarding how sensitive data should be stored and guidance to minimize the risks of a data breach.
Simply put, PCI DSS states that an organization should never store credit card information in their database or Point of Sale (POS) terminal after a transaction has occurred unless it’s necessary to meet the needs of the business. Instead, they should use a third party credit card vault and tokenization provider.
The standard consists of 12 requirements that cover logging and monitoring, vulnerability scans, risk assessment, physical security, access control policy, and a few other security-related best practices. For a company to be PCI compliant, it must prove that its systems and infrastructure meets all requirements.
Who is PCI DSS for?
Any organization that processes, stores, or transmits credit card data must comply with these standards, regardless of its legal structure. This includes governmental agencies, large enterprises, and even small retailers that use e-commerce solutions such as Shopify to outsource all cardholder data functions. The level of PCI compliance can be measured through a verified self-report, an accredited third-party audit, or an onsite/remote network scan.
While PCI compliance is not enforced by law in most U.S states except Nevada, the standard is still mandatory, and the major credit card companies behind PCI can sanction non-compliant merchants. The penalty can be a fine of $5,000 to $100,000 per month or even the suspension of merchant privileges, depending on the size of the business and the nature of non-compliance.
Why being compliant is not enough?
One of the most devastating data breaches in history was the Target Corporation breach. In 2013, 40 million credit and debit card numbers and 70 million records of personal information were stolen. The costs related to this incident were estimated at $252 million. Ironically, Target was validated as PCI compliant 2 months before the breach.
But how is it possible for a fully compliant company to get breached?
First, it is crucial to understand that PCI DSS is a bare minimum standard to meet, as the PCI Council itself affirms. While compliance can enhance the overall security of an organization, its defined purpose is to help companies protect their customers’ sensitive information. Therefore, being compliant does not guarantee that a company can’t be hacked.
Secondly, there is a false misconception that PCI compliance is a one-time event. Keep in mind that hackers continue to improve their skills and techniques, so new threats are continuously emerging. As long as there is a profit to be made, the pace of financial data attacks will not slow down. Only addressing PCI compliance for an annual assessment poses a number of significant risks and enhances the illusion of security. Instead, companies must be proactive in keeping their systems secure, and they should implement PCI compliance as a continuous process to be considered daily.
Moreover, in the case of a data breach, the credit card providers are empowered to sanction the company with a fine up to $90 per each cardholder data compromise, even if the company may be 100% PCI compliant.
Besides financial losses, a data breach can result in bad publicity for the affected company, reputation damage, lawsuits from affected customers, and in some cases, it can even lead to bankruptcy.
Considering the various penalties associated with a data breach, going beyond PCI compliance, and ensuring the best cybersecurity practices are in place must be a top priority for companies that deal with sensitive information. Simply meeting a minimum standard is not enough to protect an organization and its customers. The process of securing sensitive information involves both in-depth security and compliance.