Home » Data Protection » PCI and Compliance

All About the PCI Data Security Standard

More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

“What we’re evolving to is becoming a center of excellence,” says Pitt, who is also a vice president at American Express. “Anybody who has questions about interpreting the standard or suggestions on making it better will come to us, whereas in the past they would talk to the individual brands.”

The sticks, meanwhile, stay in the hands of the individual card associations. That’s because the standards council itself has no enforcement capability. In fact, when asked in January about current compliance levels, Pitt admitted that the council has no numbers to benchmark against. Instead, members will measure their success based only on feedback from the card companies and members.

“We actually get the happy part of driving education and compliance,” Pitt says. “Or the proactive part,” she clarifies.

The Technicalities

At Marriott International, Chris Zoladz is among those who are working to comply with the PCI standard. The $12 billion hotel chain has been working on the standard over the past few years, but “it’s quite an undertaking to get to the point of full compliance,” says Zoladz, who is Marriott’s vice president of information protection and privacy.

One pain point is the encryption requirement. Although Marriott has long been encrypting data while it’s in transmission, the PCI standard also requires that data be encrypted at rest, something Marriott had not been doing because other protections were in place. Card data is initially saved in a central reservation system but later gets passed on to a property management system for the individual hotel where the customer has booked a room. The challenge, Zoladz says, is to encrypt the data as it is stored in both places while still allowing the systems to talk to one another.

Another pain point is the requirement for two-factor authentication. The standard stipulates that a user name and password are not enough to authenticate an employee, administrator or third party who gains remote access to any system that holds debit or credit card data. In addition, the merchant must set up a second factor of authentication, such as tokens or biometrics. That’s no small undertaking for a company with a large, dispersed workforce like Marriott’s.

Not that Zoladz is complaining about the changes, mind you. “I think the standard is pretty solid,” he says. “When I look at each of the requirements in the standard, a lot of what’s in there is very consistent with what you find in the ISO 17799 standard or what you would find in any of the various articles and publications around best practices in information security.”