FOREWORD
All target dates for compliance with the PCI DSS have long since passed. The Standard is now on its third version, with the fourth in development with a predicted release date of Q4 2020. It is likely that v3.2.1 will be withdrawn around the end of 2021. Many organisations around the world – particularly those that fall below the top tier of payment card transaction volumes – are not yet compliant.
There are three possible reasons for this.
The first is that, outside a few US states, the PCI DSS has no legal status: it is not a law and does not have the force of law. Enforcement can only be carried out by contractual means, in a competitive payment card marketplace. The UK’s Information Commissioner, however, has said that compliance with the PCI DSS shows due diligence in protecting cardholder data, and has effectively imposed it as law through the threat of fines if non-compliant at the time of a breach.1
The second is that enforcement is driven by the card payment brands, through the banks that have the commercial relationships with the merchants that are supposed to comply. While enforcement has become more rigorous over the past few years, it is still inconsistent.
The third is that the PCI DSS is extremely prescriptive, and takes a determined one-size-fits-all approach to information security requirements. Compliance is therefore seen as both expensive and bureaucratic.
As a result, many merchants have tried to avoid compliance. However, this is a short-sighted and high-risk stance to adopt – rather like assuming that your business has no exposure to acts of nature or IT failure and does not, therefore, require a business or IT service continuity plan.
All businesses that accept payment cards are prey for hackers and criminal gangs seeking to steal payment card and individual identity details. Many attacks are highly automated, seeking out website and payment card system vulnerabilities remotely, using increasingly sophisticated tools and techniques. When a vulnerability is discovered, an attack can start – with the management and staff of the target company unaware of what is going on.
Most breaches go undetected for months, and are often found by third parties, such as payment brands conducting fraud checks. When the attack is exposed, the target company faces a harsh and expensive set of repercussions. These range from customer desertion and brand damage to significant penalties and operating requirements imposed by their acquiring bank, including monitoring at a level normally applicable to only the very largest of merchants. Penalties can also include expensive forensic investigation by accredited PCI Forensic Investigators (PFIs), or being made designated entities by the payment brands or the acquirers, requiring an additional level of validation to prove compliance in the future.
The PCI DSS is designed to ensure that merchants are protecting cardholder data effectively. It recognises that not all merchants have the technical understanding to identify the necessary steps and short circuits to avoid danger. All merchants and their service providers should therefore ensure that they comply with the Standard, and that they stay compliant. If the solution cannot be found internally or through the service provider, then training and consultancy is the solution.
Above all else, if every merchant cooperates in the fight against the theft of cardholder data, we might make it easier in the long run for our payment card customers.