More than two-thirds of all payments made in the United States are paid with credit or debit cards. In an increasingly influential industry, that number only continues to grow. In 2014, the industry processed $4 trillion in the U.S. alone, and in 2012, Americans made 23.8 billion card transactions.
With that volume comes a lot of responsibility: the industry has to be able to keep fraud down, hold merchants accountable, keep consumers safe, and preserve the reputation of card networks so consumers continue to use them. That’s where the Payment Card Industry Data Security Standard (PCI DSS) comes in. But unlike other regulations, it wasn’t handed down from government policymakers or regulators. Instead, it was designed in the early 2000s by the credit card giants as a set of rules for all merchants to follow. Any merchant who takes credit cards has to abide by these standards or face consequences like major fines or financial and reputational damages if a data breach occurs—lest they be forbidden to accept cards at all.
Let’s take a closer look at what the rules are, where they came from, and how they actually function.
PCI DSS: A brief history
From 1988 to 1998, Visa reported $750 million worth of credit card fraud. In the grand scheme of things, this wasn’t huge (at the time, hundreds of billions of dollars worth of transactions were being processed each year). But on Visa’s radar was the looming onset of internet commerce, which would not only increase the number of credit card transactions, but also make them extremely vulnerable to fraud. As a preemptive measure, Visa developed the Cardholder Information Security Program (CISP) in 1999, which became the first set of security standards for merchants accepting credit cards. CISP allowed Visa to monitor transactions being made with its own credit cards and ensure that merchants were complying.
In 2000, online credit card fraud amounted to $1.5 billion, and tripled over the following 10 years—but despite Visa’s best intentions, merchants struggled to comply with CISP and fraud continued to beleaguer the industry. One of the reasons Visa’s standards failed was because there was no unity among credit card brands, leaving merchants juggling too many rules and too much information.
It wasn’t until 2004 that the five major credit card brands—American Express, Discover, JCB International (which is allied with Discover), MasterCard, and Visa—put their heads together on a cohesive solution. They released the first PCI DSS, which they had all agreed on, and made compliance mandatory for merchants. Having a unified set of standards indeed made compliance easier, and these standards were quickly adopted as the norm. Two years later, the five brands upgraded the PCI DSS and announced the formation of the PCI Security Standards Council (PCI SSC), an independent group comprising members from each of the five brands that would monitor and take charge of the PCI DSS. (Until then, the heads of the founding brands were involved in establishing the standards, but the move toward an independent body allowed the standards to be monitored more carefully and accurately.)
Since then, for the past ten years, the PCI SSC has made tweaks to the standards (especially to account for changing technologies in payment processing), developed compliance validation techniques and requirements, and established four merchant levels, depending on transaction volume, that require compliance and reporting.
Breaking down the standards
The PCI DSS is a complex system of requirements that was created to make sure merchants have secure point of sale systems, only store and share necessary cardholder information, can thwart malicious activity, and properly process online payments. Twelve requirements support six overarching security goals. The PCI SSC also provides a further breakdown and more than 200 sub-requirements providing suggestions for achieving each of the goals.
The six goals and their 12 associated requirements that all merchants must abide by are:
Goal: Build and maintain a secure network and systems
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Goal: Protect cardholder data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Goal: Maintain a vulnerability management program
Protect all systems against malware and regularly update antivirus software or programs
Develop and maintain secure systems and applications
Goal: Implement strong access control measures
Restrict access to cardholder data on a need-to-know basis
Identify and authenticate access to system components
Restrict physical access to cardholder data
Goal: Regularly monitor and test networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Goal: Maintain an information security policy
Maintain a policy that addresses information security for all personnel
PCI compliance—it’s the law. Or is it?
Every merchant who accepts credit cards is required to abide by the PCI DSS and follow careful rules about how they process, transmit, and store payment card data. If a merchant experiences a data or security breach due to PCI non-compliance, they must often pay fines ranging from between $5,000 and $10,000 a month until they can demonstrate compliance. The fines come on top of all other damages the merchant must deal with when recovering from a data breach, including lawsuits, inherent financial losses, and a blow to the customer base.
But unlike other compliance standards like HIPAA, which regulates privacy and security in the medical industry, and FERPA, which does the same in education, PCI DSS isn’t established by the government. Violating HIPAA and FERPA is a violation of the law, but violating PCI DSS won’t get you in trouble with the government—only with the credit card companies that make up the PCI SSC. (Though, in recent years, some state and local laws have incorporated adherence to parts of PCI DSS into their legislation, largely to further encourage compliance. Most states also have laws governing data breach protocol.)
Despite the fact that PCI DSS puts uniform guidelines in play for all merchants accepting credit cards, it leaves guidelines for enforcing PCI DSS up to banks and credit card companies.
The PCI SSC levies fines when a data breach occurs. That’s where things get complicated: The PCI SSC doesn’t fine merchants directly, but rather fines their acquiring banks or processors. How the acquiring bank proceeds is up to its own discretion; most often, it passes the fines on to the non-compliant merchant. These fines vary by bank, by credit card company, and by merchant level. If compliance issues aren’t resolved within a satisfactory length of time, the acquiring bank can also choose to revoke the merchant’s ability to accept credit cards. This means that, depending on the processor, fines may be lenient or they may be harsh, compliance fees might be charged monthly or they might not, and compliance verification might be sporadic. It means that choosing a processor involves understanding how they enforce PCI DSS, and it might also mean that a processor is going to use PCI DSS to make money off of merchants.
Since acquiring banks and processors bear the burden of their merchants’ PCI compliance, they’re also the ones who choose how merchants can demonstrate their compliance. Merchants or other companies who are required to comply can either be asked to fill out a self-reporting checklist about their compliance measures or undergo a third-party audit. (The acquiring bank may require one or the other, but a company can choose to undergo an audit if it wants to—an audit is more thorough, but costs more money.).
Processors can also charge merchants recurring non-compliance fees, ranging from $10 to $100 a month. The idea behind the fees is to encourage merchants to become compliant, but these fees don’t come from the PCI SSC, and often, especially the fees on the high end, are money-making opportunities for the processors.
Does PCI DSS work?
High fees and fines can make life difficult for merchants, especially small ones. In 2013, Nashville-based retailer Genesco sued Visa for its high fines, alleging that the fines were meant to punish the retailer rather than compensate Visa for damages due to a data breach (which Genesco says never happened in the first place). And while charging monthly fees may prompt some merchants to take steps toward compliance, many don’t understand all of the criteria (especially when they’re self-reporting their compliance) and leave vulnerabilities in the system. Many merchants stay non-compliant until a data breach forces them to change their practices. A 2010 Verizon study showed that 79 percent of breached retailers were non-compliant.
PCI DSS compliance is inevitably complicated, and continues to change, especially as the nature of payments changes with technology. The most recent version, PCI DSS 3.0, was released in 2014, with an upgrade—and a few bolstered requirements—released just this week. But fraud prevention is critical when processing thousands of credit card transactions, and though complicated, PCI DSS does lay out strong guidelines to avoid it. It’s vital to remember, however, that compliance is an ongoing process. Going through a checklist once doesn’t make a merchant immune to data breaches forever. As technology gets updated, as payment software gets integrated with other company programs, and as new employees join the team, compliance standards must be reevaluated at every step of the way to keep both merchants and customers safe.