PCI and Data Security The Prioritized Approach and a Look Ahead

Introduction
The Payment Card Industry (PCI) Security Standards Council™ guides the efforts of Chief Information Security Officers, Compliance Officers, and others who protect cardholder information for payment card issuers, merchants, banks, processors, and service providers. The Council's PCI Data Security Standard (DSS) is a comprehensive set of requirements for security infrastructure, policies, and practices, intended to improve the security of cardholder and account data throughout the industry.

As the PCI Council completes its fifth year of operation, this paper reviews:

• successes and setbacks of the PCI Data Security Standard

• implications of the Council's new Prioritized Approach to DSS

• practical steps professionals can take to improve data security and maintain PCI DSS compliance

• effects of emerging technologies and legislation

This paper is an update and guide, not a tutorial on PCI DSS. Readers new to the standard should consult the excellent materials1 available from the PCI Security Standards Council itself, or one of the many introductory guides available from solution providers.

Compliance and Security
Few doubt that PCI DSS has helped standardize industry security practices and improve data protection. Often cited as a model for industry self-regulation, DSS helps card brands, issuing banks, merchants, and others reduce direct losses from fraud, and risks of reputation loss and litigation from data security breaches. Industry members comply with the standard out of direct financial self-interest, or indirectly to support the interests of powerful partners. DSS has been especially effective at improving security practices on the industry's front lines. In the words of Ellen Richey, Chief Risk Officer for VISA, "More than 90% of the largest card accepting merchants and about 97% of processors in the United States have validated compliance with PCI. The companies that fully embrace it are protecting themselves every day by maintaining their defenses, scanning systems, detecting anomalies and addressing threats."3