Stay connected
Subscribe to our corporate payments blog to stay on top of payment innovations.
Payment Card Industry (PCI) compliance, specifically PCI data security standard (DSS), is a set of security standards established by the industry to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. By adhering to PCI DSS, businesses enhance and streamline data management, taking into account data development, storage, dissemination, and security. This system of measuring and overseeing compliance was developed by a consortium of key players in the card industry to help reduce fraud and to ensure consistency of processes and operational norms across card issuers.
PCI compliance was born out of a disruption in the payments industry that came about with the advent of e-commerce during the late 1990s and early 2000s. During this disruptive period, many merchants entered into the nascent online shopping arena looking to increase revenues by building a web presence for their brick-and-mortar businesses. With the development of an online marketplace came an increase in the adoption of digital payments. This innovation in payments produced unintended opportunities for crime. Cyber criminals began developing ways to infiltrate card processing systems and payment networks for illegal gains. As this activity became prevalent, the major credit card brands joined forces to develop ways to prevent theft, namely, PCI DSS.
Initially, when cyber crime first bubbled up as a major issue facing credit card companies, many companies attempted to come up with solutions internally. Visa® made the first attempt at creating a security standard for the payment card industry, in the fall of 1999, calling their standard the Cardholder Information Security Program (CISP). CISP failed because Visa struggled with and was ultimately unsuccessful at sorting out the differences between North American and international security guidelines: they had trouble streamlining compliance practices for their merchants. Visa wasn’t alone in facing difficulty in creating an industry standard as other brands including Mastercard®, American Express®, Discover® and JCB® also made their own attempts and fell short of developing a solution. These founderings made it obvious that working in isolation was not the most effective form of problem-solving for an industry-wide problem. Instead, beginning in 2001, these same five card companies worked together to develop and enact security standards for the industry. If everyone followed a certain protocol they could band together and produce barriers to data access by cyber criminals.
The delayed development of a security standard meant that cyber criminals were able to grow in numbers and in sophistication, unfettered by a strong cyber-security protocol. A solution became possible only when all five major credit card brands came together to create a comprehensive standard for all merchants in the payments cycle. The result of this collaboration was the PCI DSS standard. On December 15, 2001, the first PCI DSS standard was released, called Version 1.0. Since then there have been regular updates to the standards, the most recent of which, PCI DSS 4.0 was released in March of 2022. PCI DSS 3.2.1 remains active until March 31, 2024, and the majority of new PCI DSS 4.0 requirements are optional until March 31, 2025. This most recent PCI DSS addresses emerging security threats, facilitate customized security solutions, and provide more clear guidance on security requirements.
The PCI Security Standards Council (PCI SSC) was developed to help manage and drive the process of PCI DSS adoption and sharing of best practices. It was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. PCI DSS had a bit of a rocky start. Many professionals criticized the PCI standard at its inception, complaining of a lack of consistency in audits and assessment processes by qualified service assessors. The standards council was developed to help best respond to merchant concerns and keep communication lines open between all stakeholders. In late 2007 the PCI SSC created an easy and standard method for merchants to achieve PCI compliance, which was quickly followed by the creation of the PA DSS (Payment Application Data Security Standard) which helps developers code secure applications that don’t store sensitive credit card data.
While the PCI DSS standard has helped alleviate a high percentage of data breaches and fraudulent activity, cyber crime poses a moving target for regulators as perpetrators develop new ways to infiltrate digital technology. Businesses take this criminal activity seriously because when a data breach occurs both a company’s brand and its customers are impacted, and a breach can create onerous legal fees for a business. One infamous example is the 2013 Black Friday cyber attack on Target, resulting in the hacking of 110 million customer accounts and $18.5 million in fees across 47 states remanded to Target. The data was hijacked via a third-party vendor that was using less stringent security measures. This allowed the criminals to enter that third-party vendor’s systems and through that doorway install malware to gain access to Target POS data. That $18.5 million cost was the result of several state attorneys general suing Target, which also culminated in over $202 million in legal fees. Not included were fees associated with class action lawsuits brought against Target. As a result of the breach, Target lowered its fourth quarter earnings that year and adjusted its sales outlook, seeing an immediate impact on business after the breach announcement. This shift in sales outlook included “meaningfully weaker-than-expected sales since the announcement.” After an internal review, Target acknowledged they’d been negligent in protecting customer data.
A PCI audit involves a thorough examination of the security of your organization’s credit-card processing system. There are 12 high level requirements (Version 4.0) with which your business will need to comply for you to pass a PCI audit:
It’s standard practice for businesses to carry out an assessment annually. These assessments can be done one of two ways. Businesses can conduct a self-assessment by visiting the PCI security standards council website and completing a Self-Assessment Questionnaire (SAQ). An annual audit can also be undertaken by hiring an independent professional known as a Qualified Security Assessor (QSA) to facilitate the audit. Many businesses perform quarterly tests such as network scans to keep ahead of potential data breaches and be better prepared for the annual audit.
Any merchant involved in processing, storing or transmitting credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council. There are four different levels of compliance and your level is determined by the number of card transactions your business processes in a 12-month period. Level One businesses have six million or more transactions a year. Level Two comprises businesses with annual card transactions of between one million to six million. Level Three businesses have annual card transactions of between 20,000 and one million. Level Four houses businesses with annual card transactions of 20,000 or fewer. Each level of compliance has its own unique set of compliance rules.
All companies that accept, process, store, or transmit credit card information can maintain a secure environment for their customers by maintaining PCI compliance, staying up-to-date on the latest preventative measures and conducting regular network scans and annual audits.
Learn more about how WEX payment solutions can be tailored to your business, so you can accelerate and streamline operations while creating lasting growth and success for your organization.
Resources:
SecureLink
Reciprocity
Payment Card Industry Security Standards Council
PCI Compliance Guide
New York Times
Medium
ZDNet
Forbes
NBC News
Editorial note: This article was originally published on January 23, 2014, and has been updated for this publication.
Subscribe to our corporate payments blog to stay on top of payment innovations.