In 2000, the number of websites skyrocketed to 17 million, with more than 400 million internet users. Shortly after, a growing number of online stores came online, eager to capitalize on the potential of this new selling environment. Unfortunately, retailers weren’t the only ones who saw the potential of making money on the web. Fraudsters saw opportunities, too.
As online financial fraud began to rise, the leading credit card companies tried to introduce new security standards for their merchants in order to protect cardholder data. VISA was the first with its Cardholder Information Security Program (CISP), released in 2001. Others, including American Express and Mastercard, soon followed with their own security standards.
However, the rate of online financial fraud kept increasing and merchants, confused by all the different security standards, struggled to achieve compliance. For those reasons, credit card providers joined forces to create a unified security standard and the Payment Card Industry Data Security Standard (PCI DSS) was created.
In this post, we’ll explore what PCI DSS is, why is it important, what the consequences are of being non-compliant, and why meeting basic PCI compliance standards is not enough to safeguard your organization from today's threats and vulnerabilities.
This four part series covers foundational basics of PCI DSS, explains the payment workflow, and shares tips on how to go beyond PCI compliance to better secure your organization.
What is PCI DSS?
PCI DSS is a standard designed to protect the sensitive information of credit card holders.
The standard consists of 12 different requirements that cover logging and monitoring, vulnerability scans, risk assessment, physical security, access control policy, and a few other security-related best practices. For a company to be PCI compliant, it must prove that its systems and infrastructure meet all requirements.
For a detailed explanation of PCI DSS, check out this blog post.
Who must follow PCI DSS?
Any organization that processes, stores, or transmits credit card data must comply with PCI DSS. This includes governmental agencies, large enterprises, and even small retailers that use e-commerce solutions such as Shopify to outsource all cardholder data functions.
The level of PCI compliance required depends on transaction volume, and can be measured through a verified self-report, an accredited third-party audit, or an onsite/remote network scan.
While PCI compliance is not enforced by law in most U.S states (except Nevada), the standard is still mandatory if you want to accept credit cards and interact with the major credit card companies. They can and will sanction non-compliant merchants (the term for an organization that accepts credit card payments).
The penalties can be steep, including a fine of $5,000 to $100,000 per month or even the suspension of merchant privileges, depending on the size of the business and the nature of non-compliance.
Why is PCI compliance not enough?
One of the most devastating data breaches in history was the Target Corporation breach. In 2013, 40 million credit and debit card numbers and 70 million records of personal information were stolen. The costs related to this incident were estimated at $252 million. Ironically, Target was validated as PCI compliant just two months before the breach.
So how is it possible for a fully compliant company to get breached?
First, it is crucial to understand that PCI DSS is a bare minimum standard to meet, as the PCI Council itself affirms. While compliance can enhance the overall security of an organization, its defined purpose is to help companies protect their customers’ sensitive information. Therefore, being compliant does not guarantee that a company can’t be hacked.
Second, there is a misconception that PCI compliance is a one-and-done event. Hackers continuously improve their skills and techniques, sand as a result new threats are continuously emerging. As long as there is profit to be made, the pace of financial data attacks will not slow down.
Treating PCI compliance as an annual tick-the-box requirement poses a number of significant risks and provides a false illusion of security to an organization. Companies must be proactive in keeping their systems secure, and treat PCI compliance as just the starting point for overall data security.
There's an even more compelling reason to go beyond basic PCI compliance. In the event of a data breach, credit card providers can sanction an organization with a fine up to $90 per each cardholder data compromise, even if the company is 100% PCI compliant. When the data breached totals in the tens of millions, like what happened with the Target breach, the fines alone could obliterate an organization.
Besides financial losses, a data breach usually results in bad publicity for the affected company, reputation damage, and lawsuits from affected customers. In some cases, these outcomes are enough to bankrupt an organization.
Considering the various penalties associated with a data breach, going beyond PCI compliance, and ensuring the best cybersecurity practices are in place must be a top priority for any organization that deals with sensitive information. Simply meeting a minimum standard is not enough. The process of securing sensitive information involves both in-depth security and compliance.
Continue reading part 2 of this series.