By now, one might expect that most people even remotely involved with credit card processing would have a passing familiarity with the Payment Card Industry Data Security Standard (PCI DSS). Unfortunately, this is not the case. Many merchants (primarily Level 4) remain unaware of the obligations introduced by the card brands’ security programs, each of which centers on the standard.
Even for those versed in PCI DSS, there are benefits to understanding its origins. The roles and responsibilities that fall to various parties, as well as the appropriate use of the instruments involved in validating compliance, are intertwined with the origins of the standard.
In 1999, Visa introduced its data security program, which was formally named the Cardholder Information Security Program, or CISP. The program was intended to enhance the protection of cardholder information and detailed twelve areas of focus, known as the digital dozen:
- Install and maintain a working firewall to protect data.
- Keep security patches up-to-date.
- Protect stored data.
- Encrypt transmission of cardholder and sensitive information across public networks.
- Use and regularly update anti-virus software or programs.
- Restrict access to data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Do not use vendor-supplied defaults for system passwords and other security
- Track all access to data by unique ID
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for employees and contractors.
- Restrict physical access to cardholder information.
Upon comparing the twelve requirements of PCI DSS, it is clear that the standard is simply the digital dozen reordered and expounded upon. Nevertheless, much like “the Dude,” CISP abides. That is, it is not a defunct compliance initiative: it still exists and still pertains to all Visa transactions. What has changed is that CISP now references PCI DSS as the standard to which Visa’s member banks must hold their merchant clients.
That’s an important distinction: PCI DSS does not require adherence of Visa merchants to specific behaviors and standards. Rather, CISP obligates Visa’s member banks to require their merchants to adhere to the standard.*
Similarly, the security programs governing the transactions of the other card brands now reference PCI DSS, including those maintained by Master Card (the Site Data Protection program or SDP), American Express (the Data Security Operating Policies or DSOP), and Discover (Discover Information Security and Compliance program or DISC).**
Visa and Master Card were the first to transition from separate, differently focused standards to a common approach. That such antagonistic competitors would do so is a testament to the persuasiveness and vision of Bob Russo (currently the General Manager for the PCI Security Standards Council) and an indictment of the state of credit card security at the time.
It is said that Russo, among others, convinced the associations that a unified approach to data security was in their best interest. As a result, in a move to avoid external regulation and to shore up consumer confidence, version 1.0 of the standard was published in December of 2004 with an original compliance deadline of June 30, 2005.
At this time, the groundwork was laid for the Payment Card Industry Security Standard Council, LLC. By handing the standard over to a separate corporate entity, the brands insulated themselves from any appearance of collusion that might have antitrust implications. When the first update to the standard was published in September of 2006, the council (PCI SSC) officially assumed ownership and maintenance of the PCI DSS and the associated compliance validation instruments (Self Assessment Questionnaires or SAQs).
Since its inception, the PCI SSC has added the PIN Transaction Security requirements (PTS), the Payment Application Data Security Standard (PA DSS), and the certification programs for compliance assessors and scan vendors to their list of charges. They have also continued to develop the standard, with new versions of these documents regularly forthcoming. (See the PCI SSC Documents Library for the full history and most recent editions.)
The associations’ payment brands dictate validation requirements through these programs based upon the number of transactions you conduct for their card brand. Differently sized players have different validation requirements – which is not to say that they have different security requirements. Security requirements (defined in the PCI Data Security Standard) are dependent only upon the mode of acceptance.
*The Payment Application Data Security Standard (PA DSS) goes one step further: the associations require member banks to require merchants to require vendors to observe PA DSS.
**American Express and Discover are not card associations, and have direct contractual relationships with merchants who process their cards.