Summary
In 2001 Visa developed the first credit card industry security standard called the Cardholder Information Security Program (CISP). Around that time MasterCard and other card brands also began to develop their own separate but similar security standards. After creating their own individual data security standards the major payment card brands, normally are fierce competitors, decided to work together for the overall benefit of the payment card industry. Ultimately Visa, MasterCard, American Express, Discover, and JCB became the primary founding members of the Payment Card Industry Security Standards Council (PCI SSC).
They also merged some of the best concepts of their own security standards to ultimately create a single, comprehensive payment industry wide security standard—the PCI Data Security Standard (PCI DSS) Having a single cardholder data security standardhelped to consolidate credit card processing security standards and associated compliance validation requirements.
It also helped to reduce any merchantand service provider confusion over which standard to salute when required to process payments from many different card brands. Compliance with PCI DSS has since become a global requirement for any business or entity that processes credit card transactions as payment for goods and services. Despite the fact that PCI compliance deadlines have come and passed, many organizations are still working very hard to achieve PCI compliance and as such are still lagging behind.
Mandatory compliance with any industry or regulatory requirement can appear to be an overwhelming challenge. Having to comply with PCI DSS requirements might feel like yet another regulatory burden when so many entities already have to contend with Sarbanes Oxley, GLBA, HIPAA, etc.
Rethinking PCI requirements
Over the last few years there have been a number of high-profile security breaches and instances of identity theft. The financial consequences of having to investigate the cause of, and attempt to remediate the impacts of a serious data breach can be staggering. In some instances the liabilities and consequences of dealing with large-scale data theft have actually driven companies out of business. Each instance of a breach that involves the unauthorized disclosure of cardholder information has reinforced a sense of urgency to re-emphasize the protection of sensitivecardholder data. Some of the largest payment card breaches to date include T.J. Maxx involving approximately 45 million compromised customer records, and the recent Heartland Payment Systems breach has been estimated to have compromised tens of millions of credit and debit card transactions.
While the PCI DSS might seem like just another snarl of red tape to companies burdened with existing compliance requirements, the standard is based upon sound Information Security ‘best practices’. It is comprehensive and well designed. As such, the core principles of properly securing cardholder information and protecting the systems that process it are consistent with similar requirements found in Sarbanes Oxley, GLBA, HIPAA, etc. If a business or entity is already compliant with other standards, then much of what is required to be PCI DSS compliant may already be in place. Having to also address PCI compliance will help to further reduce unnecessary risk to existing business processes and assets. It can also produce measurable gains in business efficiency and data security.
The Return on Investment of Payment Card Industry Data Security Standards
(PCI DSS) Compliance
There is an old saying that simply states “…a rising tide floats all boats”. Implementing a cardholder information security program based upon PCI DSS within an organization will help to reduce the risk to all business assets across the enterprise. It is also an investment that provides many returns over time
In 2001 Visa developed the first credit card industry security standard called the Cardholder Information Security Program (CISP). Around that time MasterCard and other card brands also began to develop their own separate but similar security standards. After creating their own individual data security standards the major payment card brands, normally are fierce competitors, decided to work together for the overall benefit of the payment card industry. Ultimately Visa, MasterCard, American Express, Discover, and JCB became the primary founding members of the Payment Card Industry Security Standards Council (PCI SSC).
They also merged some of the best concepts of their own security standards to ultimately create a single, comprehensive payment industry wide security standard—the PCI Data Security Standard (PCI DSS) Having a single cardholder data security standardhelped to consolidate credit card processing security standards and associated compliance validation requirements.
It also helped to reduce any merchantand service provider confusion over which standard to salute when required to process payments from many different card brands. Compliance with PCI DSS has since become a global requirement for any business or entity that processes credit card transactions as payment for goods and services. Despite the fact that PCI compliance deadlines have come and passed, many organizations are still working very hard to achieve PCI compliance and as such are still lagging behind.
Mandatory compliance with any industry or regulatory requirement can appear to be an overwhelming challenge. Having to comply with PCI DSS requirements might feel like yet another regulatory burden when so many entities already have to contend with Sarbanes Oxley, GLBA, HIPAA, etc.
Rethinking PCI requirements
Over the last few years there have been a number of high-profile security breaches and instances of identity theft. The financial consequences of having to investigate the cause of, and attempt to remediate the impacts of a serious data breach can be staggering. In some instances the liabilities and consequences of dealing with large-scale data theft have actually driven companies out of business. Each instance of a breach that involves the unauthorized disclosure of cardholder information has reinforced a sense of urgency to re-emphasize the protection of sensitivecardholder data. Some of the largest payment card breaches to date include T.J. Maxx involving approximately 45 million compromised customer records, and the recent Heartland Payment Systems breach has been estimated to have compromised tens of millions of credit and debit card transactions.
While the PCI DSS might seem like just another snarl of red tape to companies burdened with existing compliance requirements, the standard is based upon sound Information Security ‘best practices’. It is comprehensive and well designed. As such, the core principles of properly securing cardholder information and protecting the systems that process it are consistent with similar requirements found in Sarbanes Oxley, GLBA, HIPAA, etc. If a business or entity is already compliant with other standards, then much of what is required to be PCI DSS compliant may already be in place. Having to also address PCI compliance will help to further reduce unnecessary risk to existing business processes and assets. It can also produce measurable gains in business efficiency and data security.
The Return on Investment of Payment Card Industry Data Security Standards
(PCI DSS) Compliance
There is an old saying that simply states “…a rising tide floats all boats”. Implementing a cardholder information security program based upon PCI DSS within an organization will help to reduce the risk to all business assets across the enterprise. It is also an investment that provides many returns over time
| Project Management |
| Technology General |
| Seminars & Training |
| PCI Compliance |
Stay Connected
Campbell Management Consulting, LLC
Project Management, Consulting, Seminars and Training
Phone 623.266.0756
Fax 623.266.0753
Email: info@campbellmanagement.us
Mailing Address
13615 W. Windsor Blvd, Litchfield Park, AZ 85340
Quick Connect
Interested in working together or need more information?
Fill out the quick contact form below and we will respond.
© 2010 Campbell Management Consulting, LLC. All Rights Reserved. ADMIN LOGIN
Website Design & Development by JeremiahWoods