PCI Turns 10: How Payment Security Evolved

June 22, 2016 • Published Categories Industry TopicsTags , ,

Today’s PCI DSS: What’s Changed and What Hasn’t?

This September, the PCI Security Standards Council will mark its 10-year anniversary.

Do you know exactly what you were doing 10 years ago? Can we agree that the past 10 years seemed to go very quickly?

At this time 10 years ago I was running an Independent Sales Organization (ISO) I founded with my business partner. During that time I attended an Electronic Transactions Association conference and heard a presentation on PCI compliance. It resonated with me right away.

Looking back 10 years, I saw an opportunity to leverage the PCI DSS discussion with merchants, and create “stickiness” in the relationship by becoming their advisor. It was a mixed bag in the early going. PCI was not well known and certainly not viewed as a top priority by many busy merchants, trying to run their businesses.

Over time, the advantages of being educated on PCI and data security concepts became obvious. I wanted them to ask me first about PCI and security rather than a competitor.

Why PCI Remains Relevant

The first (1.0) version of the PCI DSS was a single, one-size-fits-all form. It was a starting place, and there were indications that maybe this payment card industry guidance would only be needed for a short time period, and then it would become obsolete.

Despite technology advancements (and also because of them), the PCI standard and its related security concepts are now needed more than ever. This is because the threats have evolved quickly; not to mention the number of threat players, often highly organized, have increased dramatically.

The Future of PCI DSS and the Key to Its Success

The PCI DSS has already evolved quite a bit to reflect the unique ways merchants process credit card transactions (currently there are 9 SAQ selections!), and by putting more focus where breach experience has shown patterns of data security vulnerabilities. “Daily attention to security” is the call to action today.

What about the future? I agree that the PCI DSS needs to evolve for the SMB world, so more merchants can truly engage in the process and improve their security posture. Simplification and streamlining are definitely keys to its future success.

Keeping It All in Perspective

People often talk about finding your true niche later in your career. This was definitely true for me. I love being in this space and have often said it is great to get paid while helping people.

Does this sound corny? Maybe, but I often think about all the hard-working people who try to build a future on a small—and in many cases family owned—business. A hacker can threaten their livelihood from 10,000 miles away.

I do take a positive outlook that most breaches really do remain preventable and it rarely costs a lot of money to vastly improve your security posture. In fact, leveraging a managed security service provider could actually save your business money over the long term.

Taking a Proactive Approach to PCI

The PCI DSS remains the most prescriptive compliance/security discipline I know of to understand how to protect sensitive data. Technology advancements like P2PE and tokenization will drive a great reduction in scope, so that what the merchant is responsible to oversee and protect will be greatly reduced over time.

In the meantime, many threats exist and the PCI DSS remains the best preventative medicine we have to combat them. Taking preventative steps is not always “fun,” but these actions certainly pay off in the long run.

Subscribe to this blog for additional tips and webinar announcements.