I came across an insightful interview with Bob Russo, general manager of the Payment Card Industry Security Standards Council (the “Council”), that was conducted by cnet news. The interview can be found here and it is a strongly suggested read.
The Council was created by Visa, MasterCard, American Express, Discover, and JCB for the purpose of creating a unified compliance program for organizations accepting and processing payment card transactions. The Payment Card Industry Data Security Standard (the “Standard”), available here, was created by the Council to deter credit card fraud. Many view these efforts as an industry-wide effort to apply uniform security practices, which largely has been the effect.
All organizations that enter into a merchant processing agreement to accept credit and payment card transactions must comply with the Standard in some manner. While the reporting requirements may be less onerous for organizations accepting payments below some fixed amount, in any event all such organizations must comply.
It is widely reported and accepted that most affected organizations have failed to meet full compliance with the Standard. Compliance with the Standard can be extremely onerous and expensive, and many large organizations simply weigh the costs of being out of compliance with the costs of gradually inching toward compliance.
What is impossible to predict are the costs of having a data breach while not being compliant. The merchant processor agreements have placed the liability on merchant for breaches occurring during non-compliant periods. This possibility is the greatest drive, and motivation, for merchants to become compliant as soon as possible.
In addition to the Standard, merchants and processors must also be aware of, and comply with if applicable, the Pin Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS).
While efforts are continually undertaken to avoid data breaches and plug potential security weaknesses, a breach that leads to a loss of payment card information while not in compliance with the Standard, PED or PA-DSS creates issues that have the potential to be even more problematic that traditionally considered. The problems realized by Heartland and TJX were further exacerbated by failing to be PCI compliant.