What Is PCI Compliance?
According todata from Statista, 40% of point-of-sale payments made in 2021 were done so with a credit card, followed by debit cards at 30%. Cash usage continues to decline year over year. Withcredit and debit card useso ubiquitous, it’s important to understand that the cards we use to pay for goods and services are actually safe and secure.
Every company that accepts credit or debit cards as a form of payment must adhere to a stringent set of security standards protecting customer data from being stolen or compromised. In other words, they must be “PCI compliant.” But there’s a good chance that most people haven’t heard the term “PCI compliance” or even know what the “PCI” stands for, so let’s begin there. The term"PCI" stands for Payment Card Industryand is typically used to describe institutions that use and process all types of payment cards, such as debit and credit cards.
When online shopping and E-commerce exploded in the late 1990s,payment fraud became an issue, so credit card companies started establishing their own set of security standards to combat the rise in fraudulent activity.
The history of PCI compliance
In 1999 Visa announcedit would implement the Cardholder Information Security Program (CISP). The goal was to protect cardholder data using the highest information security standards possible throughout the entire transaction process. This move forced Mastercard, American Express, and Discover to implement security programs of their own, and over the next five years, merchants had to deal with a dizzying array of standards from each company.
In 2004 the PCI’s founding members — Visa, MasterCard, JCB International, American Express, and Discover — finally agreed on a unified common set of standards known as PCI DSS 1.0. Two years later, it released Version 1.1, which made merchants review online applications and establish firewalls for extra security. This set of standards became officially known as the Payment Card Industry Data Security Standards (PCI DSS), and the creation of the Payment Card Industry Security Standards Council (PCI SSC) was born.
The PCI SSC constantly evolves with technology to provide the best security to consumers. Version 1.2 was released in 2008 and created guidelines for protecting wireless networks and administering antivirus software. New versions have been released every few years, withversion 4.0 announced in March 2022. While this new version won’t go into effect until 2024, it updates firewall terminology and network security controls to keep up with the latest technologies. It will also require companies to implement multi-factor authentication (MFA) for all access to cardholder data, among other requirements.
The 12 key requirements of PCI compliance
Becoming “PCI compliant” is not a simple task.According to Investopedia, the PCI DSS has 12 key requirements, another 78 base requirements, and well over 400 testing procedures. To be “PCI compliant,” a company must follow these12 requirements.
Security in all PCI compliance measures
The rest of the list has to do with access control, monitoring, and maintaining security. Since PCI compliance has to do with digital records just as much as it has to do with money, it’s important for companies to stay vigilant not only now, but well into the future.
PCI compliance isn’t required by law, but still considered mandatory
The law doesn’t require PCI compliance but is considered mandatory based on a court case involving the FTC and Wyndham Worldwide Corporation. PCI compliance provides several benefits to a company, such as reducing the number of data breaches, which in turn avoids fines, settlements, and the cost of reissuing new payment cards. Companies that remain PCI compliant show customers their data is secure from identity theft, so consumers can feel safe that their data won’t be compromised. Companies that find any part of their process to beoutside the bounds of PCI compliancecan find themselves in hot water. TheFederal Trade Commission (FTC)helps to enforce PCI compliance in its quest to protect consumers against fraud and unlawful practices in the marketplace.
Despite the protections afforded by the requirements of PCI compliance and the best efforts of the FTC,data breaches occur frequently, and68% of businessesfeel cybersecurity risks are on the rise.According to Cybint, 95% of breaches are caused by human error, and a hacker attacks every 39 seconds.
Stay secure beyond PCI compliance promises
One of the most public security breaches in recent memory occurred in 2017 whenthe systems at Equifax were breached, and the names, phone numbers, home addresses, birth dates, and social security numbers of148 million Americanswere exposed. Additionally, the credit card numbers of some 209,000 people were compromised, suggesting that for all the good PCI compliance does for consumers on a daily basis, we still have some work to do in our ever-evolving modern digital age. Examples like theOrbitz data breach,the data breach atRobinhood, and the recentCash app breachremind us that no single service is infallible.
verify you keep a close eye on your digital accounts, request a new credit card number from time to time, and always keep your passwords secure. Never, ever use default passwords, and do not assume that because you can’t imagine ever being targeted by a malicious party, you won’t find yourself part of a massive data breach one day. Stay vigilant and make sure you’re not taking any low-security measures for digital payments for the sake of convenience. No matter how secure any credit card suggests it’ll be, there’ll always be room for human error.
