The Payment Card Industry Data Security Standard (PCI DSS) aims to protect card holder data used during online payments.
It was adopted by the Payment Card Industry Council in 2005 and is backed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa.
The aim is to reduce online fraud by providing a security baseline that all companies taking payment must conform to. The aim is good, but some suggest the way standard is implemented suggests it’s designed less to secure card data than to profit credit card companies, who choose a select oligopoly of "approved vendors" for vulnerabilty scanning and consultancy. It has been called a “near scam” by a spokesman for the National Retail Federation in Wired Magazine.
Implementing the standard can burden smaller retailers and web agencies, forcing them to audit their website and their businesses for a fee. The work itself can be hard to carry out and choosing which level of the standard you need to conform to is confusing.
We have seen PayPal withhold funds from our clients until they complete TrustWave scans despite the fact that no credit card details are ever entered on PayPal offsite payments, meaning that whilst our servers are secure and pass the standards, even if they didn't it would be impossible to stage an attack or hack where customers' card details are compromised. Again, when this happened, a select list of "approved vendors" was provided.
A study by Ponemon Institute cited in Information Week found that:
50% of security professionals view PCI as a burden, and 59% don't think it helps them improve security.
Mathew J. Schwartz interviewed the president of risk and information security consulting firm IP Architects, John P. Pironti, made the point that:
Security by compliance, doesn't do a company any favors, especially because attackers can reverse-engineer the minimum security requirements dictated by a standard to look for holes in a company's defense.
Some have criticized the way PCI agreements are structued, Wired Magazine has stated that merchants are liable for a third-party agreement their banks make with Visa and MasterCard [which] disempowers merchants.
Sometimes it seems like the standard is unnecessarily complicated and according to Information Week:
in a survey conducted earlier this year of U.K. businesses by market research firm Redshift Research on behalf of Tripwire, 89% of U.K. companies hadn't undergone the required auditing and certification process, and 35% said they still didn't fully understand PCI.
PCI DSS provides a minimal baseline for security and since all the major card providers insist on its implemention, why not read about how it's done? Watch this space.