PCI Turns 10: Will It Last Another 10 Years?Time to Assess PCI-DSS's Impact on Payments Security
Most U.S. consumers never could have anticipated all of the changes we've experienced in payments over the last 10 years, including the emergence of e-commerce and mobile payments and the switch to chip cards.
Ten years ago, payment card security was little more than an afterthought, Troy Leach, chief technology officer of the Payment Card Industry Security Standards Council, points out. The focus was on merchant loyalty programs and customer relationship management, which required merchants to know more about their customers by storing their shopping histories.
"The DSS was really created to have organizations re-evaluate how they were actually using and managing cardholder information."
"In looking at the 2005 and 2006 timeframe, we were seeing a lot of breaches [as a result of] storing cardholder data unnecessarily," Leach says. "There were some very common challenges - some of those challenges we still see today, like default passwords or just weak network security or not separating sensitive information from the rest of a company's assets."
Of course we know today that storing cardholder data is a bad idea. But storing such data was common back in the days before PCI Data Security Standard compliance.
"The DSS was really created to have organizations re-evaluate how they were actually using and managing cardholder information," Leach says. "If we reflect back to that time, people were not aware of the risks associated with storing cardholder information or using it for loyalty programs or customer management programs. So much of the DSS effort in the beginning was actually to educate about the removal of unnecessary storage of information that was associated with many breaches at the time, and also just to raise awareness about how you could have a business strategy to eliminate processes and minimize the risk to every stakeholder in the payment ecosystem."
This September marks the 10th anniversary of the PCI Security Standards Council - a group established by the major card brands to manage payment card data security through PCI-DSS.
Although PCI-DSS was introduced in December 2004 as the first unified payments security standard to be approved and required by all the major card brands, it wasn't until the PCI Council's inception in 2006 that widespread adoption of and compliance with the standard began to take root.
My career covering payments and financial security closely aligns with the birth of the PCI-DSS. In October 2004, I took a job with an online publication called ATMmarketplace, where I developed relationships with some of the same sources I still rely on today.
PCI-DSS has been criticized over the years for its rigidity and failure to evolve quickly enough to address emerging risks. In a February 2011 interview, online security expert Josh Corman predicted PCI-DSS wouldn't stand the test of time.
In the days to come, we'll present a series of interviews and articles about the impact PCI has had on payments security and how payments security in the U.S. and throughout the world has changed since 2006. We'll also examine an important question: Will the PCI-DSS remain a viable standard 10 years from now?
Look for my audio interviews with Leach, who's been on the PCI Council almost from day one, and Jeremy King, international director of the council, who helped lead efforts to spread awareness and adoption of the PCI-DSS to markets outside the U.S.
I'll also be conducting interviews with a wide variety of other payments experts to get their takes on the impact of PCI-DSS, and whether it will continue to be viable. And my colleagues at ISMG will examine the impact of PCI around the globe.
I'd like to know your thoughts about the future viability of the PCI-DSS. Post your comments below.