An Introduction to PCI DSS

The ability to process credit card and debit card payments is essential to most merchants' success. But, the industry is battling a growing problem: credit card fraud. It has cost card processors, merchants, and in some cases, consumers, billions of dollars. In response, the payment processing industry has initiated a set of security protocols. Called the Payment Card Industry Data Security Standard (PCI DSS), these protocols were established to help prevent hacking and security breaches into consumers' accounts.

Objective Of The PCI DSS

Over the past decade, most fraudulent activity involved small businesses. According to a 2005 study by Visa USA Inc., at least 80% of cases involving fraud can be traced to activity from small merchants. The primary goal of the PCI DSS is to limit fraudulent card activity. It accomplishes this through a number of measures, including prohibiting merchants from storing certain types of information (such as the 3 or 4-digit security codes).

How It Began

Before the PCI DSS was established, each of the major credit card companies had their own security standards to which they held merchants. Visa promoted their Card Information Security Program while American Express created their Data Security Operating Policy. Mastercard created the Site Data Protection protocol while Discover enacted their Information and Compliance standards. Though created separately, each company had the same goal: to offer consumers more protection from fraud. They did this by working with their respective merchants to establish security measures that would protect consumers' card data.

Realizing that their efforts for increased security with the goal of reducing fraud were consistent with each other, the credit card companies joined forces. At the end of 2004, the Payment Card Industry Security Standards Council (PCI SSC) was established. Soon after, the first version of the PCI DSS was drafted and released.

Areas Of Compliance

The current version of the PCI DSS promotes a series of 6 "control objectives." These include maintaining a secure network, protecting consumers' card data, and implementing measures to reduce vulnerability. They also include restricting access to sensitive information, performing ongoing testing of the network, and creating a formal policy that deals with information security.

The PCI DSS expands these "control objectives" by detailing the expectations to which merchants are held in each area. When market trends suggest that additional security measures are needed, the PCI DSS is updated.

Problems With The PCI DSS

While the PCI DSS is valuable for the overall protection of consumers' credit and debit card data, it is not without inherent problems. For example, the main reason why most fraudulent credit card activity involves small merchants is because most of these merchants are uninformed. Card processors often neglect to communicate the PCI DSS expectations to merchants. As a result, many small merchants are unaware of the standards to which they are expected to comply.

Making matters worse, millions of merchants do not have a clear understanding about how their own card processing systems work. In many cases, they end up storing card data without realizing it. Because smaller merchants are more susceptible to hacking and other breaches of security, the storage of this data presents a substantial level of exposure for the card industry.

The PCI DSS is relatively new. The joint council (PCI SSC) is continuously reviewing trends and identifying areas in the current set of security standards that require improvement. Meanwhile, they are encouraging card processors to be more proactive in communicating the terms of compliance to merchants. It remains a challenge. As one small business owner who paid thousand of dollars in fines said, "I thought I was doing everything I was supposed to do."

This article is brought to you by PaySimple, a leading provider of merchant account services.