PCI (Payment Card Industry) compliance, specifically PCI DSS (data security standard), is a requirement for merchants that operate a credit card processing environment. This requirement usually surprises new merchants as they prepare to take payments from customers. Seasoned business owners who take credit cards for rendered services and products know that staying on the good side of a PCI audit is necessary for A/R operations and a healthy bottom line.
Why was PCI compliance created?
PCI compliance was born out of necessity. The late 1990s and early 2000s brought adventurous merchants who wanted to leverage the Internet to increase revenues through e-commerce. This payments innovation caught the eye of bad guys as well. Crafty cyber criminals found ways to infiltrate card processing systems and payment networks for illegal gains. The major credit card brands saw the need to put their heads together to come up with a standard for merchants for the purpose of slowing down the proliferation of cybercrime.
Pre-PCI DSS Measures
In the fall of 1999, Visa® made the first attempt at creating a security standard with their Cardholder Information Security Program (CISP). Visa struggled with garnering compliance from merchants because of the differences between North American and international security guidelines. Visa wasn’t alone in their failure to create a standard as other brands including MasterCard, American Express, Discover and JCB tried and fell short during that time. These security standard setbacks occurred in the spring of 2001.
The Debut of PCI DSS
The gap in the development of a security standard from 2001 to 2004 was a time of growth in fraudulent online activity. The entire web came under attack by Trojans that infected systems from home computers to payment servers. The creation of a security standard for merchants couldn’t come fast enough.
In December of On December 15, 2001, PCI DSS Version 1.0 was released. This was the first time that all five major credit card brands had come together to create a comprehensive standard for all merchants in the payments cycle. In September 2006, version 1.1 of the PCI DSS was released and called for the professional review of all web applications and the placing of virtual firewalls as a security measure. 2006 also marked the year of the creation of the Payment Card Industry Security Standards Council (PCI SSC).
The end of 2006 ended on a sour note with the TJX (parent company of T.J. Maxx and Marshalls) card breach. 45 million customer credit and debit cards were stolen – making TJX the poster child of what to avoid in the new PCI DSS era.
Things weren’t always smooth in the land of PCI DSS. Many professionals began criticizing the PCI standard, complaining of a lack of consistency in audits and assessment processes by qualified service assessors. Merchants were failing to comply left and right and many called for the PCI SSC to lower the bar. Thankfully, the PCI SSC figured things out in late 2007 by creating an easy and standard method for merchants to achieve PCI compliance. This was quickly followed by the creation of the PA DSS (Payment Application Data Security Standard) which helps developers code secure applications that don’t store sensitive credit card data.
The Current State of PCI
In the fall of 2012, Visa reported that 97% of Level 1 merchants achieved compliance. This is proof that PCI DSS had achieved mass acceptance by businesses that process large numbers of transactions. PCI SSC also released guidelines for mobile application developers during this time. According to a recent and related Computerworld report, Starbucks confirmed vulnerabilities in their popular mobile app. Starbucks admitted to storing user passwords and geolocation information in clear text, which increased the ease and probability of the mobile payment app being hacked. Thankfully, Starbucks has updated the app and sealed its security holes.
As for recent updates, we covered the debut of PCI DSS 3.0 right here on the CardVault Blog. The release of version 3.0 came a month before the big Target breach. Maybe the PCI SSC and the payments industry as a whole will learn new things from the Target breach that will result in tighter and smarter measures in future versions of the PCI DSS.
For a visual representation of PCI DSS history, look at SearchSecurity’s amazing timeline infographic.