FOREWORD
Target dates for compliance with the PCI DSS have all long since passed, and the Standard is now on its third version. Many organisations around the world – particularly those that fall below the top tier of payment card transaction volumes – are not yet compliant.
There are perhaps three reasons for this.
The first is that, outside a few US States, the PCI DSS has no legal status: it is not a law and does not have the force of law. Enforcement can only be carried out by contractual means, in a competitive payment card marketplace. The UK’s Information Commissioner, however, has said that compliance with the PCI DSS shows due diligence in protecting cardholder data, and has effectively imposed it as law through the threat of fines for failure to comply.1
The second is that enforcement is driven by the card payment brands, through the banks that have the commercial relationships with the merchants that are supposed to comply. While enforcement has become more rigorous over the last three years, it is still inconsistent.
The third is that the PCI DSS is extremely prescriptive, and takes a determined one-size-fits-all approach to information security requirements. Compliance is therefore seen as both expensive and bureaucratic.
It is not surprising, therefore, that merchants have tried to avoid compliance with this Standard. This is a short-sighted and high-risk stance to adopt – rather like assuming that your business has no exposure to acts of nature or IT failure and does not, therefore, require a business or IT service continuity plan.
All businesses that accept payment cards are prey for hackers and criminal gangs that seek to steal payment card and individual identity details. Many attacks are highly automated, seeking out website and payment card system vulnerabilities remotely, using increasingly sophisticated tools and techniques. When a vulnerability is discovered, an attack can start – without the management or staff of the target company having any awareness of what is going on.
When the attack is exposed – most breaches go undetected for months, and are often found by third parties, such as payment brands conducting fraud checks – the target company will be exposed to a harsh and expensive set of repercussions. These will range from customer desertion and brand damage to significant penalties and operating requirements imposed by their acquiring bank, which will include a future level of monitoring at a level normally applicable to only the very largest of merchants. Penalties can also include expensive forensic investigation by accredited PCI Forensic Investigators (PFI); they could also be made designated entities by the payment brands or the acquirers, requiring an additional level of validation to prove compliance in the future.
The PCI DSS is designed to ensure that merchants are protecting cardholder data effectively. It recognises that not all merchants have the technical understanding to identify the necessary steps and short circuits to avoid danger. All merchants and their service providers should therefore ensure that they comply with the PCI DSS, and that they stay compliant. If the solution cannot be found internally or through the service provider, then training and consultancy is the solution.
Apart from anything else, if every merchant cooperates in the fight against the theft of cardholder data, we might make it easier in the long run for all our payment card customers.