[BreachExchange] PCI Turns 10: Will It Last Another 10 Years?

[Audrey McNeil]

http://www.databreachtoday.com/blogs/pci-turns-10-will-last-another-10-years-p-2154

Most U.S. consumers never could have anticipated all of the changes we've
experienced in payments over the last 10 years, including the emergence of
e-commerce and mobile payments and the switch to chip cards.

Ten years ago, payment card security was little more than an afterthought,
Troy Leach, chief technology officer of the Payment Card Industry Security
Standards Council, points out. The focus was on merchant loyalty programs
and customer relationship management, which required merchants to know more
about their customers by storing their shopping histories.

"In looking at the 2005 and 2006 timeframe, we were seeing a lot of
breaches [as a result of] storing cardholder data unnecessarily," Leach
says. "There were some very common challenges - some of those challenges we
still see today, like default passwords or just weak network security or
not separating sensitive information from the rest of a company's assets."

Of course we know today that storing cardholder data is a bad idea. But
storing such data was common back in the days before PCI Data Security
Standard compliance.

"The DSS was really created to have organizations re-evaluate how they were
actually using and managing cardholder information," Leach says. "If we
reflect back to that time, people were not aware of the risks associated
with storing cardholder information or using it for loyalty programs or
customer management programs. So much of the DSS effort in the beginning
was actually to educate about the removal of unnecessary storage of
information that was associated with many breaches at the time, and also
just to raise awareness about how you could have a business strategy to
eliminate processes and minimize the risk to every stakeholder in the
payment ecosystem."

PCI Anniversary

This September marks the 10th anniversary of the PCI Security Standards
Council - a group established by the major card brands to manage payment
card data security through PCI-DSS.

Although PCI-DSS was introduced in December 2004 as the first unified
payments security standard to be approved and required by all the major
card brands, it wasn't until the PCI Council's inception in 2006 that
widespread adoption of and compliance with the standard began to take root.

My career covering payments and financial security closely aligns with the
birth of the PCI-DSS. In October 2004, I took a job with an online
publication called ATMmarketplace, where I developed relationships with
some of the same sources I still rely on today.

PCI-DSS has been criticized over the years for its rigidity and failure to
evolve quickly enough to address emerging risks. In a February 2011
interview, online security expert Josh Corman predicted PCI-DSS wouldn't
stand the test of time.

In the days to come, we'll present a series of interviews and articles
about the impact PCI has had on payments security and how payments security
in the U.S. and throughout the world has changed since 2006. We'll also
examine an important question: Will the PCI-DSS remain a viable standard 10
years from now?

Look for my audio interviews with Leach, who's been on the PCI Council
almost from day one, and Jeremy King, international director of the
council, who helped lead efforts to spread awareness and adoption of the
PCI-DSS to markets outside the U.S.

I'll also be conducting interviews with a wide variety of other payments
experts to get their takes on the impact of PCI-DSS, and whether it will
continue to be viable. And my colleagues at ISMG will examine the impact of
PCI around the globe.

I'd like to know your thoughts about the future viability of the PCI-DSS.
Post your comments below.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160615/12c4e9f4/attachment.html>