Home » Data Protection » PCI and Compliance

All About the PCI Data Security Standard

More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

Likewise, the vulnerability that Stop & Shop dealt with, involving criminals who tampered with the equipment customers use to swipe their credit cards and input PINs, is not currently addressed in the PCI standard. “I think the standard will mature,” Kirkwood says, “and as it matures, it will be more comprehensive.” (For details, see “Bolting on Security at Stop & Shop” at CSOonline.com.)

The bigger issue for CSOs, however, may be the nature of the discussions with the standards council, and how united a front the credit card associations are really presenting.

Barrett and Kirkwood both mention that a PCI audit acceptable to one card association does not always satisfy the other associations. Kirkwood says, “It’s the same standard, but it’s not like you can say you’re PCI-compliant and then you’re done for all the entities. Why don’t we have one PCI assessment of Ahold, and have that apply to everyone? I think that’s the way we’re going to evolve; we’re just not there yet.” Kirkwood thinks he understands the reasons why. “At American Express, we couldn’t rely on Visa certification, because if something happens to the merchant, then American Express would be in a really bad situation, saying they relied on what Visa did. The public would say, why did you do that?”

Council or no, Kirkwood says, it’s simply hard for any one body to take on that kind of responsibility. “If a central organization says, ‘We certify ChoicePoint,’ who gets sued when ChoicePoint has a problem? If you did that, you would have to have a limitation of liability that says something like, ‘We’ll review them, but don’t hold us accountable if something happens to them.’ Therefore the certification doesn’t mean too much.”

Suddenly, government intervention doesn’t sound like such a crazy idea.

The Best of All Possible Standards?

Of course, there are a raft of reasons why government intervention doesn’t work much better than the PCI standard. Look no further than HIPAA, which contains both security and privacy provisions for healthcare organizations. Despite the fact that the law is more than a decade old, there have been no fines to speak of, leaving some organizations scratching their heads about why they should bother complying. Meanwhile, federal CIOs and CISOs complain that the 2002 Federal Information Security Management Act has turned into nothing but an exercise in completing paperwork, rather than improving security. The one piece of federal legislation that did prompt widespread work on information security controls—the Sarbanes-Oxley Act—stemmed from one small section, 404, and corporate America is currently in rebellion that the end has not justified the multimillion-dollar means. The problem is always an economic one—not that compliance costs too much money, precisely, but that the money it costs isn’t worth spending.