The PCI Data Security Standard was launched in 2006 by private-sector organizations to improve the security of credit card data. But PCI has instead become a massive butt-covering exercise that extends from retailers to auditors to major credit card brands.
Whether data is any safer remains to be seen. Despite mandating a variety of security mechanisms and regular audits, our investigation shows that the Payment Card Industry Data Security Standard, known as PCI DSS or just PCI, can be manipulated so merchants seem compliant without actually making their data stores more secure. And card brands, which are supposed to be driving compliance, have little incentive to rock this boat.
The standard, which is mandated by major card brands including Visa, MasterCard, American Express, and JPMorgan Chase, requires merchants to implement 12 account-protection mechanisms, including encryption, vulnerability scans, and the use of firewalls and antivirus software. Visa has assumed a lead role in driving the compliance initiative, which took on increased urgency after a string of break-ins that resulted in the exposure of hundreds of millions of credit card accounts. The most infamous breaches occurred at discounter TJX, shoe store chain DSW, and credit card processor Card System Solutions.
Unfortunately, the notion of PCI compliance has become abstracted from actual security. Merchants can game the system to become "compliant" without necessarily improving the safety of card data. For instance, only a fraction of retail stores are physically audited, despite the fact that data thieves regularly target store networks and equipment. A PCI expert we spoke with has reviewed several compliance audits and found them wanting. And the PCI Security Standards Council admits that some auditors aren't as rigorous as others.