'A near scam' - Criticisms of the Payment Card Industry Data Security Standard

  • Technology
  • July 5, 2013
  • by Alex O'Byrne
  • 3 minute read

The Payment Card Industry Data Security Standard (PCI DSS) aims to protect card holder data used during online payments.

It was adopted by the Payment Card Industry Council in 2005 and is backed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa.

The aim is to reduce online fraud by providing a security baseline that all companies taking payment must conform to. The aim is good, but some suggest the way standard is implemented suggests it’s designed less to secure card data than to profit credit card companies, who choose a select oligopoly of "approved vendors" for vulnerabilty scanning and consultancy. It has been called a “near scam” by a spokesman for the National Retail Federation in Wired Magazine.

Implementing the standard can burden smaller retailers and web agencies, forcing them to audit their website and their businesses for a fee. The work itself can be hard to carry out and choosing which level of the standard you need to conform to is confusing.

We have seen PayPal withhold funds from our clients until they complete TrustWave scans despite the fact that no credit card details are ever entered on PayPal offsite payments, meaning that whilst our servers are secure and pass the standards, even if they didn't it would be impossible to stage an attack or hack where customers' card details are compromised. Again, when this happened, a select list of "approved vendors" was provided.

A study by Ponemon Institute cited in Information Week found that:

50% of security professionals view PCI as a burden, and 59% don't think it helps them improve security.

Mathew J. Schwartz interviewed the president of risk and information security consulting firm IP Architects, John P. Pironti, made the point that:

Security by compliance, doesn't do a company any favors, especially because attackers can reverse-engineer the minimum security requirements dictated by a standard to look for holes in a company's defense.

Some have criticized the way PCI agreements are structued, Wired Magazine has stated that merchants are liable for a third-party agreement their banks make with Visa and MasterCard [which] disempowers merchants.

Sometimes it seems like the standard is unnecessarily complicated and according to Information Week:

in a survey conducted earlier this year of U.K. businesses by market research firm Redshift Research on behalf of Tripwire, 89% of U.K. companies hadn't undergone the required auditing and certification process, and 35% said they still didn't fully understand PCI.

PCI DSS provides a minimal baseline for security and since all the major card providers insist on its implemention, why not read about how it's done? Watch this space.

Written By

Alex O'Byrne

Alex is Co-founder at We Make Websites, the go-to Shopify agency for global commerce. We Make Websites design, develop and optimise e-commerce websites for the fastest growing brands on the planet, with teams in London and New York. Alex is an international speaker on ecommerce, brand and business growth.

Get ahead with the latest in e‑commerce and Shopify Plus.

Popular Articles

13 May 2021


How to Implement Subscriptions on Shopify Plus

27 April 2021


A Closer Look: Hasbro Crowdfunding on Shopify Plus

26 March 2021


Shopify Plus’ Design Restrictions, Debunked

17 February 2021


Magento to Shopify: the Brands that Replatformed

Be the first to hear about what’s hot in e‑commerce and Shopify Plus. Straight to your inbox.

By providing my email, I agree for We Make Websites to contact me via email with e‑commerce advice, events and Shopify launches. Your data is stored securely and we never pass it on to third parties.