PCI: Keeping the Customer Trust

On June 22, 2005, The Washington Post called 2005 “the year of the data breach,” a phrase that, since then, has become common parlance for those observing the state of the fraud/security marketplace.

The year 2005 saw high-profile breaches at payment processors, banks, retailers, and data brokers affecting tens of millions of U.S. citizens. In fact, as of January 18, 2006, the Privacy Rights Clearinghouse estimates the number of people affected since February 15, 2005, calculated from public announcements, at more than 53 million.

The largest breach so far, which occurred at CardSystems Solutions on June 16, 2005, a third-party processor of payment card data, compromised the data of 40 million credit card holders when CardSystems was hit by a computer virus that captured customer data for the express purpose of committing financial fraud.

Congressional hearings on the matter were held in July, and Visa, MasterCard, American Express, and other payment card providers ceased allowing CardSystems to process payments.

The CardSystems incident, combined with other significant data thefts from top enterprises such as ChoicePoint, DSW Shoe Warehouse, and Polo Ralph Lauren, have made data security a top-of-mind issue for anyone handling sensitive consumer information, and has made calls for additional legislation more widespread and insistent.

But well before these events and subsequent calls for legislation occurred, all of the major credit card issuers had created separate detailed security programs in an effort to combat data theft and better ensure the protection of cardholder data.

In December 2004, Visa, MasterCard, American Express, Diner’s Club, JCB and Discover joined together to merge their programs and develop the payment card industry (PCI) data security standard (DSS).

Compliance is mandatory for any business—including merchants, service providers, and issuing banks—that handle, store, transmit, or process any data related to the card companies.

The program’s purpose is to protect cardholders’ private information, decrease fraud, and spot security issues that could result in compromised or stolen data.

While this may sound oppressively difficult and expensive, it is necessary. The risks of not complying with PCI requirements are considerable, and include aggressive, defined financial penalties for non-compliant organizations.

Under the worst possible scenario, failure to meet PCI can end in suspension, and finally revocation, of an organization’s right to accept or process credit card transactions, making it extremely challenging to continue doing business.

While stringent, these best practices are necessary to keep customer trust and companies—regardless of industry—can and should glean important lessons from this cooperation.

Mike Paquette, chief strategy officer, is responsible for product management and strategy at Top Layer Networks, where he drives the technology roadmap of the company’s intrusion prevention solutions.