The Payment Card Industry Data Security Standard (PCI DSS), developed by the Payment Card Industry Security Standards Council, which consists of vendors such as VISA, Master Card, American Express, Discover and JCB, provides payment card data protection requirements for organizations that process card payments. PCI DSS compliance is required of all merchants and service providers that store, process, or transmit a Primary Account Number (PAN) of a credit card and applies to the protection of cardholder name, service code, or expiration date that is stored in conjunction with a PAN. While PCI DSS is the one set of data security standards for all payment brands, each payment card network defines its own merchant levels, validation requirements and deadlines.
For organizations with large volumes of credit card transactions, compliance is assessed annually and must be validated by an external assessor known as a Qualified Security Assessor (QSA). Organizations that handle smaller volumes of credit card transactions also are assessed annually, but have the flexibility to self-certify using a Self-Assessment Questionnaire (SAQ).
Organizations that fully comply with PCI DSS are considered secure credit-card processors; however, compliance and security are not necessarily synonymous. An organization can be compliant and still experience a security breach, and can also be non-compliant and maintain a secure infrastructure. The question is: What good is compliance? Approached correctly, compliance can be a catalyst for implementing effective security measures. However, this requires an understanding of the principles behind the requirements, not just adherence to minimum requirements. Security is more than a list of checkboxes — it involves a holistic approach and processes to protect the organization. Compliance standards such as PCI DSS provide a foundation for achieving security, but by itself it does not adequately protect the organization.
The cost of a data breach is significant. Costs have risen steadily from a 2005 average incident cost of $4.5 million to a 2010 cost of $6.75 million. PCI DSS compliance is also costly — in a recent Ponemon Institute study, 52% of respondents indicated that between 30% to 50% of their security budgets are allocated to PCI DSS compliance. The average audit cost by a QSA for PCI DSS is $225,000 for a Tier 1 merchant and $103,000 for a Tier 2 merchant; this is for the QSA audit cost alone, and does not include the additional cost of becoming compliant and maintaining that standing.
The dynamic business and threat environment ensures that the burden of PCI DSS compliance will continue to grow; for instance, additional requirements are planned around encryption and key management and three US States – Minnesota, Nevada, and Washington – have written PCI DSS into law.
Organizations that employ a "checkbox" approach will ultimately not be secure. One only needs to look at large and costly data breaches such as the ones experienced by Heartland Payment Systems and RBS WorldPay, which both achieved PCI DSS compliance at one point only to have the status revoked.9 Companies that are found non-compliant risk losing their ability to process credit card payments and face fines, further audits, and imposition of more requirements.