The PCI Data Security Standard was launched in 2006 by private-sector organizations to improve the security of credit card data. But PCI has instead become a massive butt-covering exercise that extends from retailers to auditors to major credit card brands.
Whether data is any safer remains to be seen. Despite mandating a variety of security mechanisms and regular audits, our investigation shows that the Payment Card Industry Data Security Standard, known as PCI DSS or just PCI, can be manipulated so merchants seem compliant without actually making their data stores more secure. And card brands, which are supposed to be driving compliance, have little incentive to rock this boat.
The standard, which is mandated by major card brands including Visa, MasterCard, American Express, and JPMorgan Chase, requires merchants to implement 12 account-protection mechanisms, including encryption, vulnerability scans, and the use of firewalls and antivirus software. Visa has assumed a lead role in driving the compliance initiative, which took on increased urgency after a string of break-ins that resulted in the exposure of hundreds of millions of credit card accounts. The most infamous breaches occurred at discounter TJX, shoe store chain DSW, and credit card processor Card System Solutions.
Unfortunately, the notion of PCI compliance has become abstracted from actual security. Merchants can game the system to become "compliant" without necessarily improving the safety of card data. For instance, only a fraction of retail stores are physically audited, despite the fact that data thieves regularly target store networks and equipment. A PCI expert we spoke with has reviewed several compliance audits and found them wanting. And the PCI Security Standards Council admits that some auditors aren't as rigorous as others.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
