For years now the credit card companies have been stressing the need for PCI DSS compliance – a set of regulations meant to ensure a high level of security for sensitive credit card information. Nevertheless, many companies have put off implementing the proper security procedures.
Why, then, do merchants procrastinate these things? On further study of the PCI DSS (Payment Card Industry Data Security Standard) we can see that it doesn’t actually require anything so inconceivable that it would come as a surprise to a merchant in this day and age. These requirements do, in fact, have the merchant’s best interests in mind. Yet studies have shown that companies are not becoming compliant as quickly as would be expected.
What would it take for merchants to begin taking PCI DSS compliance seriously?
Apparently recent history isn’t enough. In 2005 there was the famous incident involving the TJX Companies Inc. The company recently revealed that they suffered a very large security breach. From July 2005 until the breach was discovered in December 2006, hackers were able to penetrate a supposedly secure network and compromise at least 45.7 million credit and debit cards.
It is also possible that hackers had access to a decryption tool which gave them access to PIN numbers and other unique identifies. With these numbers in their possession, the hackers would have access to just about everything they need to cause some serious harm.
What was the outcome of this breach (possibly the largest in U.S. history)?
TJX estimated that the costs of the breach would be in the vicinity of 18 million dollars. Outside sources, however, put the number closer to 1.35 billion dollars when you figure in the costs of legal fees, call center costs, and regulatory fines.
The most interesting thing we can learn from this experience is not that they had poor security. In fact, chances are a large company like that probably spent a lot of time and resources on developing a very good security system. The point is that they didn’t seem to understand all the possible areas of attack, or the different areas of threat, and how to guard themselves against those threats.
The Payment Card Industry knew that if breaches like this continued to occur, then the integrity of their system would begin to break down, and that’s not good for them or for the merchants. So to encourage PCI DSS compliance, the Payment Card Industry has imposed a number of fines and penalties for those who don’t comply. These could range from a 300 dollar fine per breached record, or the loss of the ability to accept credit cards at all.
So now we have recent history and some stern encouragements to take PCI DSS compliance seriously. And yet, there is still a distinct lack of enthusiasm when it comes to achieving compliance. What is there left to do?
The fact is that becoming PCI DSS compliant is just good business sense. As technology continues to grow and criminals develop new methods of attacking and stealing sensitive data, consumers will become more and more likely to refrain from making credit card transactions. The PCI DSS was created to help companies learn about all the possible threats to their system and how to deal with problems when they arise.
Taking PCI DSS compliance seriously is the first step toward building a safe, secure environment for consumer to conduct transactions. Historical examples and instituted fines and penalties don’t seem to be enough to encourage this compliance, so in the end, consumer behavior will have to be the single most important factor in increasing proper security measures.
Perhaps, then, the PCI SSC should begin a stronger campaign to influence consumers, rather than just businesses.