Understanding PCI: What It Is, How It Started, and the Challenges Businesses Face

In my 25+ year cyber security career, I have watched the demand for compliance auditing grow.  In a world where the need to carry cash is diminishing, the need for securing digital data, such as credit cards, is vital.  How do businesses go about protecting their clients’ credit data?  More importantly, how do we as customers know that our credit card data is being protected?  The answer is PCI.

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security protocols designed to safeguard cardholder data and protect against data breaches and fraud. Created by the Payment Card Industry Security Standards Council (PCI SSC) in 2006, PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, processes, stores, or transmits credit card information. The goal of PCI DSS is to establish a robust foundation of security measures that help organizations protect sensitive cardholder information.

The Origins of PCI DSS

PCI DSS was developed as a unified response to the rising number of data breaches involving credit card information. Prior to its establishment, each major credit card company, such as Visa, MasterCard, American Express, Discover, and JCB, had its own security standards, which included Visa’s Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection (SDP) program. These varied standards created confusion for businesses that accepted multiple card types and resulted in inconsistent security practices.

To address these issues and streamline security measures, the credit card companies formed the PCI Security Standards Council in 2006. The Council introduced PCI DSS as a comprehensive global standard for card security, aimed at protecting cardholder data across all payment channels.

The 12 Major Requirements of PCI DSS

PCI DSS outlines 12 key requirements that organizations must meet to ensure the security of cardholder data. These requirements are divided into six broad objectives:

1. Build and Maintain a Secure Network and Systems
   • Install and maintain a firewall configuration to protect cardholder data.
   • Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect Cardholder Data
   • Protect stored cardholder data to ensure that sensitive information is not unnecessarily exposed.
   • Encrypt transmission of cardholder data across open, public networks to protect data in transit.
3. Maintain a Vulnerability Management Program
   • Protect all systems against malware and regularly update anti-virus software or programs.
   • Develop and maintain secure systems and applications by implementing patches and other security measures.
4. Implement Strong Access Control Measures
   • Restrict access to cardholder data by business need-to-know, ensuring only authorized personnel have access.
   • Identify and authenticate access to system components to ensure that each user has a unique ID.
   • Restrict physical access to cardholder data to prevent unauthorized access.
5. Regularly Monitor and Test Networks
   • Track and monitor all access to network resources and cardholder data to detect and respond to unauthorized activity.
   • Regularly test security systems and processes to identify and address vulnerabilities.
6. Maintain an Information Security Policy
   • Maintain a policy that addresses information security for all personnel, promoting awareness and responsibility for protecting cardholder data.

Challenges of PCI Compliance for Different Sized Businesses

While PCI compliance is essential for protecting cardholder data, achieving and maintaining compliance can be challenging for businesses of all sizes. The specific challenges faced by small, medium, and large businesses vary based on their size, resources, and operational complexity.

1. Small Businesses

Small businesses often face significant challenges when it comes to PCI compliance, primarily due to limited resources and expertise. Without dedicated IT staff or security professionals, small business owners may struggle to understand PCI DSS requirements and how to implement necessary security measures.

The cost of compliance is another major hurdle for small businesses. Investing in secure systems, conducting regular vulnerability scans, and maintaining updated software can be expensive. For small businesses operating on tight budgets, these costs can be prohibitive.

Additionally, many small business owners mistakenly believe they are too small to be targeted by cybercriminals. However, attackers often view small businesses as easy targets due to their typically weaker security measures, making PCI compliance critical for businesses of all sizes.

2. Medium-Sized Businesses

Medium-sized businesses encounter different challenges with PCI compliance, largely due to their more complex operations and higher transaction volumes. With multiple locations, various payment systems, and extensive networks, achieving and maintaining PCI compliance can be a daunting task.

Balancing compliance with business growth is a key challenge for medium-sized businesses. As businesses expand, they often implement new technologies and expand their IT infrastructure, which can lead to non-compliance if not carefully managed. Keeping up with evolving PCI DSS requirements while growing operations requires a proactive approach to security and compliance.

Maintaining ongoing compliance is another struggle for medium-sized businesses. PCI compliance is not a one-time effort but an ongoing process that requires continuous monitoring, regular audits, and updates to security policies and procedures. This level of maintenance can stretch the resources of medium-sized businesses, making it difficult to sustain compliance.

3. Large Enterprises

For large enterprises, the challenges of PCI compliance are often related to the complexity of their operations and the vast amount of data they handle. Large businesses, such as multinational corporations and major retail chains, typically have extensive, interconnected networks that span multiple regions and countries. Ensuring that every part of the network complies with PCI DSS can be an enormous undertaking, particularly when different regions have varying regulatory requirements.

Managing multiple payment channels adds another layer of complexity for large enterprises. They must secure and monitor various systems, including in-store point-of-sale systems, online payment gateways, and mobile transactions. This requires robust security measures and vigilant oversight to protect cardholder data across all channels.

Moreover, large enterprises are prime targets for cyberattacks due to the volume of data they handle. As a result, they need to implement more sophisticated security measures and invest heavily in cybersecurity to protect cardholder data. Achieving and maintaining PCI compliance in such a dynamic and high-risk environment can be both complex and costly.

Conclusion

PCI compliance is a crucial aspect of protecting cardholder data and maintaining customer trust. However, the journey to compliance is fraught with challenges that vary based on the size and complexity of the business.

Small businesses must overcome resource limitations and awareness issues; medium-sized businesses need to balance growth with security needs; and large enterprises face the complexity of managing vast networks and numerous payment systems. Despite these challenges, achieving PCI compliance is essential for all businesses that handle credit card data, not only to avoid penalties and potential data breaches but also to build and maintain trust with their customers.

If you want help understanding more clearly the PCI requirements, Appalachia Technologies has years of experience and staff that is more than happy to talk to you about particular controls, requirements, or general questions on how your organization can maintain PCI compliance.

UPCOMING WEBINAR:  Join us on LinkedIn Tuesday, September 9th for a lunch & learn webinar, "Learning and Navigating PCI Compliance w/ Wendy's John Sisco."  Event and registration link below:

https://www.linkedin.com/events/7232366404530794497/comments/

Mike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.