There are two ways merchants can ensure compliance with the Payment Card Industry Security Standards Council’s (PCI SSC) Data Security Standards (DSS): Smaller merchants may be able to use self-questionnaires, while larger merchants may require a data security firm to provide an on-site assessment. Either way, a common misconception is that PCI SSC both sets and enforces the standards — but that is simply not the case.
“People look at PCI as being some enforcement arm,” Patrick Brown, CEO of IntraNext, told Karen Webster in a recent interview. “It’s the actual card providers that are truly the enforcers within that PCI consortium.”
Although the council does not ensure compliance – that task is up to individual payment brands or banks – it does keep the standards alive. However, fines and revocation of card privileges may exist through the individual card providers, should they find the security standards were not met. It's important to note that PCI compliance is a shared responsibility between merchants, vendors and any company that has exposure to card data.
Its members – American Express, Discover, JCB International, Mastercard and Visa – agree on the standards and publish them so that any company that accepts and processes credit card information has a set of criteria aimed at creating and maintaining a secure environment. In essence, PCI DSS “is one standard with multiple different inputs,” Brown said.
Third Parties Can Help Merchants De-scope
To ensure that they’re following standards, merchants and other entities evaluate scope: They identify all system components that are involved with cardholder data. Those items in scope must adhere to the standards, but this effort can be costly. As a result, companies seek to de-scope wherever possible.
In addition, different-sized merchants have different needs. “The challenges of a thousand-seat call center are different than five workstations in a mom-and-pop shop,” Brown said.
“Anything that an entity can do to reduce the scope, to minimize it down to just those simple touch points where credit card information is – that’s always a big goal for anybody trying to meet the standards,” Brown said.
Companies can choose to try to stay within scope and go through all the controls, or they can choose to de-scope. The choice depends on how much effort businesses want to spend on compliance efforts – and how successful they can be in de-scoping their environments.
Newer technologies are helping to minimize the impact. For example, tokenization is a process where a valid credit card number is replaced with a non-sensitive equivalent. Tokens can be used in place of the credit card number, and once a purchase is made, the token is exchanged for the original card number.
Take Apple Pay or Samsung Pay: “[With them], your tokenization is actually happening immediately, and therefore your credit card is not floating around through the internet,” Brown said. “In a card-not-present environment, it gets to be a bit more challenging … but each channel has its own challenges when trying to meet that scoping.”
Some Merchants Are Further Along on PCI DSS Than Others
Some of the more successful deployments of PCI DSS have occurred at grocery stores and other retailers that have adopted “the chip.” The technology allows merchants to become more secure, but some merchants have been quicker to adopt innovations – like the chip – than others.
“You avoid a lot of those breaches of the past,” Brown said. “There are still some industries that need some attention, and it will be a while before they catch up.”
For example, gas stations have fallen behind. Initially, the council had given self-serve pumps until October 2017 to be compliant with PCI DSS. But, due to the cost and complications in timing to get all of those gas pumps compliant, the council gave them an extension until October 2020.
The big problem with gas pumps, after all, is that card skimmers can get the magnetic information they need from card readers at the pumps. They can then quickly turn around and use the information in card-not-present environments.
As a result, gas stations use tape as a seal to show that a scammer has not opened a card reader at the pump and placed a card skimming device inside. Besides broken tape, other telltale signs of skimming include a loose card reader or a cover on top. “That’s a hot spot that education can help with,” Brown said.
PCI DSS Evolves with Changes in Technology
In the future, Brown believes PCI will continue to focus on multi-factor authentication, strong passwords and remote access – i.e. “the hot spots in terms of where breaches occur and where the bad guys get in,” Brown said.
And, with new technology that allows cardholders to enter their PIN numbers on glass, PCI DSS standards continue to change with the times. “And I think that’s going to continue to be looked [at] as the glass itself keeps changing,” Brown said. “Your devices are evolving as well.”
Knowledge of how security measures, such as passwords, work to deter hackers also keeps changing.
“We keep learning that what we thought was correct, in terms with what was hard to break, was possibly incorrect,” Brown said. “And … password changes tend to be actually less safe because people revert back to things they can remember, which then makes them more vulnerable – so it’s a moving target.”