History and Status of the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) was created in response to the rapid growth of credit card transactions in the 1990s causing thousands of small companies to start storing credit card data and processing consumer transactions on unprotected networks.  Since many of these small businesses didn’t know how to properly secure these credit card transactions, it also led to a rapid increase in data theft and a growing concern from banks and credit card companies about ways to protect their brand and consumer accounts. In an effort to resolve the growing concern around payment card fraud and cybercrime in general, industry leaders such as Visa, MasterCard, and American Express got together and created a global security standard to protect online card payments.

The PCI DSS standard was established to set basic guidelines and requirements around how businesses must create a safer cardholder data environment, using basic requirements to drive minimum requirements around security that would lead to more secure business systems. As the standard evolved and procedures more refined, PCI DSS became an internationally accepted standard for all merchants and service providers.

PCI DSS History

PCI DSS was introduced in December 2004, after Visa and other brands had introduced their own standards.  These brand-specific standards weren’t well received by merchants and service providers, since these were small companies that didn’t need the confusion of multiple standards.

Continue reading “History and Status of the PCI DSS”

Retail Shift to EMV Doesn’t Solve Credit Card Security

Protecting and securing payment systems and consumer data is a never-ending task for all parties in a payment network, and it’s also a moving target. Retailers at the Electronic Transactions Association’s TRANSACT conference in Las Vegas (which includes credit card companies, banks, payment processors, regulators and retailers) all have the same fear. With the guild nature of security and hacking, any solution is potential only a temporary solution. They know that as soon as a new system or firewall is put in place, hackers have already figured out how to defeat or bypass it.

Most large retailers have had payment and data security teams in place for years, and have been working to migrate payment systems from the current magnetic stripe card readers to EMV systems (the chip-embedded cards and PIN-code technology widely used in Europe, often called “Chip and PIN”). Visa and MasterCard are giving merchants until October 2015 to have an EMV system in place. If merchants don’t comply, the responsibility to cover fraudulent purchasing will shift from the card companies to the merchants themselves. After the high-profile retail data breaches at Target, Neiman Marcus and Michael’s, a number of retailers are accelerating EMV technology plans.

The migration won’t be cheap or easy. Some have estimated it will cost retailers between $20 billion to $50 billion to upgrade systems to be EMV-compliant, while it will only cost about $2 billion to replace all consumer-level credit and debit cards with the new chip-embedded technology. Just weeks ago, Wal-Mart (the world’s largest retailer) enabled software at about 1,000 of its U.S. stores to accept chip-and-PIN cards, though there are few of those cards currently being used in the U.S.

Target has said upgrading its payment systems to accept chip-and-PIN cards is part of a $100 million effort to ready all of its 1,800 locations by the first quarter of 2015. The estimated cost for smaller mom and pop stores is around $3000 per store. This will move the entire point of sale system to a safer, smarter, and more secure systems.

But EMV systems are far from a panacea. When we look at the Target breach or some of the other retailers, those were breaches of retailers systems. EMV wouldn’t have done anything to stop the Target breach. EMV provides more encryption so credit card data is harder for hackers to replicate on counterfeit cards, but it wouldn’t have prevented the attackers from getting the data in an attack like what happened at Target.

%d bloggers like this: