More than 15 years ago, a group of companies that processed credit card transactions came together to address a growing concern: There weren’t a clear, unified set of standards to ensure the secure processing, storage, and transmission of cardholder data. With e–commerce becoming more popular and cybercriminals more advanced, inconsistent guidelines governing credit card transactions created security vulnerabilities.
So, in December, 2004, American Express, Discover, JCB International, MasterCard, and Visa Inc. partnered to produce the first version of the Payment Card Industry Data Security Standard (PCI-DSS). That version, and numerous subsequent updates and revisions, contained a comprehensive list of requirements to ensure businesses maintain payment card data security. The key pillars are as follows:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
A few years after PCI-DSS 1.0 was released, the founding companies formalized their role in ensuring credit card security by creating the PCI Security Standards Council (PCI–SSC). Since its launch in 2006, the PCI-SSC has overseen updates and revisions to PCI-DSS, and has worked with a variety of stakeholders from across industries to govern all things cardholder data.
Business Impacted by PCI-DSS
PCI-DSS applies to three primary types of businesses:
- Merchants or organizations that process, transmit, or store any cardholder data. In other words, PCI-DSS standards apply to any business that accepts credit or debit cards — though PCI compliance requirements differ according to a company’s merchant level and the card brand/issuer.
- Service providers. A Service provider is a business entity that is not a payment brand (I.e. not Visa, Mastercard, American Express, etc.), but is directly involved in the processing, storage, or transmission of cardholder data.
- Companies that provide services that control or could impact the security of cardholder data.
Evolution of PCI-DSS
The PCI-SSC releases a version or update to PCI-DSS roughly every year or two to ensure guidelines are in line with rapidly evolving technologies and security threats.
The current release, PCI-DSS 3.2.1, was published in May, 2018. The next version, PCI-DSS 4.0, is expected to be released in late 2020 or early 2021. PCI-DSS 4.0 will be the 10th version of the standard to be released
PCI-DSS 4.0 is expected to differ from the current 3.2.1 in a few ways; the biggest is in how businesses will be able to achieve compliance. PCI-DSS 3.2.1 and earlier versions of the standard have specific and stringent requirements that dictate how companies must achieve compliance. PCI-DSS 4.0 will keep this existing prescriptive method for compliance, but it introduces another option: customized implementation. Customized implementation considers the intent of the objective and allows entities to design their own security controls to meet it.
To ensure businesses comply with PCI-DSS guidelines, there are penalties for non-compliance. These penalties are not assessed by the PCI-SSC, but rather by each of the card brands that a specific merchant may use to process credit card transactions.
The fee/penalty structure is not published publicly, but fees are higher for businesses that are out of compliance with PCI requirements when a breach occurs. However, penalties and fees can be assessed against a merchant organization even if the merchant was compliant at the time a breach occurs.
Below is a sampling of penalties organizations may face:
- Fines ranging from $5,000 to $100,000 per month, rising over time until the merchant is in full compliance
- Sanctions that can rise to the level of termination of the ability to accept payment cards
- Liability for losses that customers may suffer in the event of a breach
Although these may seem steep, the good news is that there are a number of tools that can help organizations comply with PCI-DSS requirements – especially with some of the added flexibility in Version 4.0. The PCI Council’s SAQ (self-assessment questionnaire) is a useful option, and cybersecurity software like a best-in-class micro-segmentation solution can narrow the scope of an audit, providing significant assistance.
About the Author: Brian Dixon, Certified PCI-QSA & CISSP, is a ColorTokens solutions architect and compliance expert