PCI DSS - Why it works
The Payment Card Industry Data Security Standard (PCI DSS) is a document that sets the de facto standard of compliance for any company that accesses, stores or transmits cardholder data (CHD) and personally identifiable information (PII).
The PCI DSS's founding members - American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. - sought to replace their individual data security compliance programs in favour of a globally agreed standard.
In this post I will examine why the PCI DSS works, focusing primarily on merchants (i.e. retailers of all sizes) as they are the most familiar to us.
1. Blueprint for success
A document like the PCI DSS provides businesses with a blueprint for success in safeguarding customer data.
It's easy to point to large retailers and say that they should already know how to do this, and we'd probably be right. But what about the smaller merchants?
Within a 5 km radius of my home there are well over 100 small businesses, the majority of which accept credit or debit cards as a form of payment.
These businesses do not have IT departments brimming with security experts, yet they still need to ensure that cardholder data is secure so as not to run afoul of their merchant agreement.
To quote the PCI Council:
Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.
If cardholder data is stolen – and it's your fault – you could incur fines, penalties, even termination of the right to accept payment cards!
For them, the PCI DSS provides an easy-to-follow framework for securely processing transactions.
2. A standard for all
Standards are a great way of ensuring compatibility in design, manufacture and trade.
With respect to the PCI DSS, having a standard means that a set of minimum requirements must be met in order to provide payment services.
It also means that merchants are no longer required to follow separate programs of compliance.
The PCI DSS levels the playing field, ensuring that small businesses are held to the same security standard as large retailers.
This is important. It means that regardless of where you shop, your CHD and PII should be treated with the equivalent level of care, regardless of annual revenue.
According to Visa, merchants can be classified into 4 different tiers.
Individual card issuers are free to set their own tiers, but they are similar across brands.
3. It's all about the data
Where the PCI DSS does really well is ensuring that the focus is on the data.
It would have been easy to limit the scope to point-of-sale systems or payment processing servers.
Instead, the PCI Council strives to ensure that any and all parts of a business's operation that could potentially hold CHD and PII are covered.
This means that whether the data is stored or in transit, whatever system it touches will be considered in scope.
Broad criteria such as these are important in eliminating judgement and combatting "what if" scenarios.
When assessing an environment, merchants should abide by the phrase, "If in doubt, don't leave it out."
4. Help is there when you need it
An important part of Visa's merchant tier chart is the validation criteria.
It allows smaller merchants (by transaction volume) the ability to spend less money getting certified, as this can sometimes be quite costly. Merchants at Tier 2 and lower are free to choose whether they call in the experts or provide their own assessment.
The PCI Council has also published a handy PDF guide aimed at smaller businesses.
For those who want extra help, they can hire a Qualified Security Assessor (QSA). They are trained professionals who are experts in the PCI DSS and can help smaller merchants understand the requirements and provide guidance on what controls are appropriate.
QSAs also have experience on their side. A QSA can provide recommendations based on previous exposure to similar environments.
So while merchants can opt to do it all themselves, help is there when they need it.
5. Non-compliance can be costly
The enforcement of compliance with the PCI DSS and the determination of any non-compliance penalties are carried out by the individual card vendors.
Merchants that do not comply with the PCI DSS requirements may be subject to fines, card replacement costs, forensic audits, brand damage, revocation of privileges and other penalties.
The following is a list of MasterCard fines:
Level 1 & 2 Merchants
- First Violation – Assessment Amount: Up to $25,000
- Second Violation – Assessment Amount: Up to $50,000
- Third Violation – Assessment Amount: Up to $100,000
- Fourth Violation – Assessment Amount: Up to $200,000
Level 3 Merchants
- First Violation – Assessment Amount: Up to $10,000
- Second Violation – Assessment Amount: Up to $20,000
- Third Violation – Assessment Amount: Up to $40,000
- Fourth Violation – Assessment Amount: Up to $80,000
Besides the risk of fines, any merchant that suffers a breach will automatically be elevated to Tier 1 regardless of transaction volume.
So, for a little upfront effort and cost, complying with the standard can help reduce risk and minimize unpleasant and costly consequences.
While fines won't eliminate breaches altogether, they can certainly motivate merchants to embrace the standard. Especially those that can ill afford the fines and associated costs.
To find out why the PCI DSS is not all it's cracked up to be, have a look at my contrasting opinion.