After another spate of articles and speeches about the PCI DSS and why it is worthless, I thought it might be a good idea to explain why the PCI standards came to exist.
In 1999, Visa USA began to work on what became the Customer Information Security Program or CISP. The first official version of the CISP was issued in the summer of 2003 with Visa asking select merchants to comply with the CISP as soon as they could. The original impetus for the CISP was a response to increasing chargebacks that were the result of the fraudulent use of credit card accounts. An analysis of these chargebacks had started to paint a picture of merchant employees that were increasingly using their access to point of sale (POS) and accounting systems to obtain credit card numbers and then using those numbers to commit fraud.
As development on the CISP progressed, Visa USA also started to see increasing instances where an e-Commerce site had been compromised and the credit card information stored on the site had been taken by an attacker and then was fraudulently used. The reason these compromises had resulted in cardholder data being exposed was that application developers had used the same software design models for e-Commerce as those that were used by traditional POS. This resulted in cardholder data being stored in databases that faced the Internet.
A year or so after the start of Visa USA’s efforts, MasterCard International began development of the Site Data Protection (SDP) standard. Unlike the CISP, the SDP focused specifically on the security of e-Commerce sites. MasterCard had monitored the rising fraud rate related to the compromising of e-Commerce sites. Like Visa USA’s analysis, MasterCard’s analysis of the problem pointed to the fact that most e-Commerce sites were storing cardholder data in databases that faced the Internet and were not very well protected from compromise. As a result, MasterCard approached the problem with the SDP which specified a basic level of information and network security for e-Commerce Web sites.
As work progressed on the CISP and further statistics on security issues were gathered, Visa USA began to recognize that the on-line payment applications themselves were the biggest problem related to the compromising of cardholder data. As a result, Visa USA developed the Payment Application Best Practices (PABP) standard. The PABP was published in late 2004 with Visa USA encouraging software vendors to use it as a benchmark for securing their software.
It has been suggested that the PCI standards were only developed to minimize the losses to the card brands and banks and do nothing for merchants. However, the PCI standards were meant to protect everyone in the transaction process. When a breach occurs, the first thing people remember is the name of the card brand(s) involved, the second name is likely the merchant or service provider and the third name is the franchisee if that is the case. The card brands, service providers and franchisers discovered that their reputations were highly at risk, even though it was typically the franchisee merchant that actually created the problem. Regardless of who caused the breach, the card brands further discovered that what people really remembered from breaches were the card brands’ names and everything else was forgotten. As a result, the card brands became determined to protect their brand names and reputations.
There was another recent suggestion that the PCI DSS was not needed because market forces would resolve the security issues inherent in the conducting of credit card transactions. The first problem with that idea is that most merchants and service providers are unconvinced that they are responsible for securing cardholder data, even after they might have suffered a breach. They believe that it is the card brands’ problem to secure cardholder data because the card brands are the ones that generate the cards. Unfortunately, the security of cardholder data is mostly outside of the control of the card brands, therefore the merchants and service providers need to be responsible for securing cardholder data as well. The second problem with that idea is that for every security “expert”, there are a corresponding number of security baselines. No one agrees on security, because everyone’s view is from their own perspective and the threats that they see or perceive. As a result, some organizations have very strong and strict security (e.g., banks for example), while others have only marginal security. The problem with this approach is that security is only as good as the weakest link in the chain. So those organizations that have weak security practices become targets against the entire process chain. As a result, in our interconnected world, that puts those organizations with strong security at risk if they are partners to those organizations that have weak security. As a result, the card brands recognized that a single standard baseline was needed just to provide a basis for a consistent foundation on which to build additional security.
So, that is how we got where we are today. Hopefully with this perspective you can now understand why the standards exist and their use in providing basic, essential security for cardholder data.