Home » Data Protection » PCI and Compliance

All About the PCI Data Security Standard

More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

Visa, it was clear, had an especially pointy stick with which to prod its business partners—and, with its cards accepted at millions of locations worldwide, an especially far-reaching group of business partners who could be prodded. American Express, Discover and MasterCard soon whittled similar sticks to prod far-reaching business partners of their own. Compared with, say, the federal government’s ineffectual attempts to enforce the Health Insurance Portability and Accountability Act, card companies’ chances of success seemed promising. They had both resources and commercial clout. “Ultimately the reason companies need to be able to comply with PCI is that Visa and MasterCard have the ability to cut them off,” says Mark Rasch, a former federal prosecutor who’s now a computer security consultant. “You could pay a fine. If you’re a large financial company, you could pay a fine of a million dollars. But if they told you tomorrow that you can’t process credit cards, you’re out of business.”

Not surprisingly, though, merchants balked. As the standards from the various card associations grew and took shape, merchants had two main complaints: first, that there were too many standards, and second, that they had insufficient input into how standards were formed.

“Merchants had to certify with each brand,” explains Julie Fergerson, cofounder and board member of the Merchant Risk Council, a trade association. “Each of the four were coming up with their own individual products and weren’t necessarily talking to one another.”

To address these concerns, more than half a decade after Visa’s Digital Dozen was created, rival card companies came together to form an army of sorts. The PCI Security Standards Council was created last September as a joint agreement between American Express, Discover, JCB, MasterCard Worldwide and Visa International. Each of the companies contributed seed money and agreed to push jointly for a single set of security requirements—this being the PCI Data Security Standard, which still has 12 main criteria that encompass installing firewalls, encrypting data and restricting physical access to cardholder information, among other things. A primary goal of the common standard is to prevent merchants from ever storing all the data on a card’s magnetic strip, which may contain private cardholder information as well as PINs and the printed security codes that help merchants authenticate online transactions . (See PCI To-Do List for highlights of the standard.)

With the creation of the council, all suggestions and changes to the rule book are now funneled through this group. Furthermore, the council determines which auditors are qualified to perform PCI assessments and which vendors are qualified to perform scans for vulnerabilities or misconfigurations in an organization’s infrastructure. Eventually, says chairwoman Seana Pitt, the council’s funding will come not from the card associations but from training and certification fees.