alexlukin - Fotolia

Why your company needs the Payment Card Industry Data Security Standard

If you think Payment Card Industry Data Security Standard is just for merchants, think again. Here's why virtually every company can boost security and address risk issues using PCI DSS.

The Payment Card Industry Data Security Standard is a widely accepted set of policies and procedures aimed at securing credit card transactions. Although designed with that single purpose in mind, analysts and professionals in the field say it can also provide a sound baseline for securing financial data in almost any organization.

Why? It turns out the rules of thumb and "best practices" PCI DSS defines and requires are just plain good.

David Lacey, author of A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS) and a security researcher at Chicago-based Information Systems Audit and Control Association, an independent nonprofit focused on security, noted that PCI DSS is focused first and foremost on preventing data theft. From its inception, it has been focused on stringent practices that can accomplish that goal.

As proof of its efficacy, he cited the example of a bank that was targeted by hackers. The attackers got a lot of information, but not the information pertaining to customer credit cards. The reason, in his view, is the use of PCI DSS to protect that data.

PCI DSS is a good introduction to security practices for businesses. "If it is treated more as guidelines and a template of points to consider, rather than a check-box approach to security, it can be effective," said Lysa Myers, security researcher at ESET, an IT security company. "If someone is new to security and looking for guidance on how to think about protecting their organization, it [PCI DSS] can be a good place to start," she added.

"I like to call PCI the world's largest vertical market. Almost every company needs to do PCI," said John Kindervag, an analyst at Forrester Research, based in Cambridge, Mass. Whether you are an e-commerce retailer or a brick-and-mortar merchant or not even a merchant at all -- just a company that sometimes processes a payment via credit card -- you have the same basic issues, he explained.

Some may not understand that broad focus, he noted. Furthermore, many companies think they don't need to apply PCI DSS because they aren't in the "credit card sector." However, he added, whether you store or process cardholder information or simply have a merchant agreement with a card brand, you are already a potential PCI candidate. Even a hospital that may be more focused on Health Insurance Portability and Accountability Act probably accepts card payments for medical bills or for food in their cafeteria, he noted.

"PCI is the world's largest compliance initiative and it includes every part of the world and every size company; whether you take $40 a year or $40 million, it doesn't matter; the rules are the same in the U.S. and in Bali," Kindervag said. The challenge for individual organizations is determining how to best extract value from the PCI DSS process.

I would like to see more emphasis on a thorough and ongoing risk assessment, to help organizations stay aware of their environment and secure over time.
Lysa Myerssecurity researcher, ESET

PCI DSS is important for multiple reasons, according to Kindervag. First, it is a "pretty good baseline" for anything you want to do. "For security people who don't like it or maybe just haven't read the standards, I often give them a list of some of the standards it requires and ask which of them they don't think is a good idea," Kindervag said. In other words, it is Security 101, "but people still don't like having to do it," he added.

Secondly, PCI can effectively unlock your budget. Almost all security concerns can be put in the same basket with PCI, so it would be silly not to take advantage of that, Kindervag noted. Furthermore, once you determine that you need to do PCI, that determination tends to make the budget sacrosanct thereafter. "When I talk to people who have moved from PCI-compliant companies to non-PCI-compliant [companies], they found it much harder to get the funding they needed when they no longer had PCI," he said.

And it does create incentives for good security, Kindervag added. Compliance in general is the primary driver for security in most organizations. Without that, people wouldn't do it. Compliance requirements are always the failure of corporate governance. It is only when we fail to do what we should have done that it gets attention and leads to more rules, he said. It is our own fault.

He calls the Payment Card Industry Data Security Standard the "space program" of security; we all benefit. For example, he noted, the industry learned about data encryption on a massive scale; without PCI no one would be looking at this. "The movement toward data security has evolved from PCI," he said.

Applying PCI

According to Kindervag, you can take everything PCI already tells you to do to protect binary credit card data and apply it to protecting intellectual property, personally identifiable information and more.

Kindervag said he talks to companies that believe they need a completely separate project to secure personal health information." I say, 'no,' just do what you are doing with PCI; use PCI as a baseline.".

Using PCI as a universal tool is what Kindervag calls "PCI unleashed."

"I make it the undergirding of everything because it is so tactically specific," he said. If it helps, you can map all requirements back to PCI. "Other approaches to security will just do what I call security by cheerleading," he said. They are nonspecific. By contrast, PCI gets you beyond good enough. It is very specific about things like password management and auditors can't say it isn't good enough because there is no other standard that is more specific.

"Almost any information can be protected using the same PCI techniques," he added.

However, Myers noted, "I would like to see more emphasis on a thorough and ongoing risk assessment, to help organizations stay aware of their environment and secure over time." On the other hand, she said the newest version of PCI DSS is introducing the need for two-factor authentication, which strengthens the login process further. "This makes it so that a stolen password is no longer a single point of failure," she noted.

Ultimately, the value of PCI is in how it is applied, Myers noted. The "con" is if organizations simply treat it as check-box exercise rather than considering how it actually addresses their true needs. The "pro" of PCI is "if an organization took the spirit of the standard as an inspiration point for how to examine their systems," she said.

Next Steps

Blockchain can boost security, trust

How financial data can help the CFO

Digital technology use cases

Dig Deeper on ERP financials