Home » Data Protection » PCI and Compliance

All About the PCI Data Security Standard

More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

The PCI program is the largest, most ambitious of such efforts to date. Last autumn, American Express, MasterCard, Visa and other highly competitive rivals came together to fund an independent PCI Security Standards Council, which will promote and drive a single data-security standard. In the midst of a steady stream of credit card breach announcements from companies large and small, the message the card associations wanted to send was clear: They are doing something about the problem.

But will it be enough?

“Remember, the reason the PCI standard exists is to avoid legislation from Congress,” longtime CISO John Kirkwood says plainly. Kirkwood is no stranger to PCI. The former CISO of American Express, he is now global information security officer for $52 billion Dutch grocery-store chain Royal Ahold, where he has to make sure that subsidiaries such as Stop & Shop comply with the standard. He has dealt with his own recent security breach, involving checkout equipment tampering in at least six Stop & Shop stores in Rhode Island and Massachusetts.

“The credit card companies said, hey, wait a second, you don’t have to legislate us. We’ll regulate ourselves,” Kirkwood continues. “It’s going to be very interesting to see what happens in light of the TJX incident. I can see another [Gramm-Leach-Bliley Act], another Sarbanes-Oxley coming.” Indeed, soon after the breach was disclosed, as TJX-related cases of fraud started to surface, legislators began pointing to the incident as further proof that Congress must take action.

All of which means that it’s showdown time in the battle between government regulation and preemptive industry self-regulation. Businesses that accept, process and enable credit card transactions will have to convince legislators (not to mention the American public) that the PCI program is going to prevent data breaches. If they can’t, the implications will reach far beyond the payment card industry, as the PCI standard goes down in history as nothing more than a crash test of private industry’s ability—even under the best possible circumstances—to regulate itself.

A Sharp Stick

The roots of the PCI standard date back to the summer of 2000, when Visa unveiled its “Digital Dozen” of rules that merchants needed to follow in order to accept its credit and debit cards. The requirements ranged from installing firewalls to encrypting data to restricting physical access to cardholder information. “Eventually, if we don’t have proof from an independent third party that you qualify with our requirements, we really don’t want you to take the card,” a Visa executive told CIO magazine (a sister publication to CSO) in 2002.