Anyone who shopped at Target prior to December 2013 understands the impacts of credit card security breaches. On December 19th, Target announced that 40 million credit and debit cards were stolen and in January of this year, the company also disclosed that 70 million customers had their personal information compromised.
The bottom line for Target: 4th quarter profits fell 46 percent, CEO Gregg Steinhafel resigned and most likely years of rebuilding will be needed to repair damaged consumer trust.
The bottom line for consumers: Changing credit card accounts and the hassles that come with that, monitoring and in some cases adjusting credit reports, and evidently a lot less shopping at Target.
In the end, any organization that accepts credit/debit cards and collects cardholder information has a responsibility to protect and secure that data. One way to do this is to become PCI DSS compliant or ‘PCI Compliant’ and use a PA-DSS certified payment application.
What are PCI DSS and PA-DSS?
PCI DSS stands for Payment Card Industry Data Security Standard and has been around since December 2004. Prior to that, each major credit card company had their own set of standards and certification processes. Whereas each set had similarities, there were certainly differences and trying to maintain compliance with each set could be quite challenging. In response, the 5 major players at the time (Visa, MasterCard, American Express, Discover, and JCB International) got together to form the Payment Card Industry Security Standards Council (PCI SSC). The Council reviewed each set and created a single, unified standard.
PA-DSS (Payment Application Data Security Standards) was originally called Payment Application Best Practices (PABP) and was considered guidelines as opposed to actual requirements. On January 1st, 2008, Visa turned over its PABP process to the Council which made modifications to the requirements and renamed them ‘PA-DSS.’ This set of requirements was formally issued in April 2008.
Why should my organization become compliant?
Would the requirements outlined by PCI DSS have prevented the Target breach? That’s difficult to say with any certainty, but Ken Stasiak, CEO of SecureState – a PCI Forensic Investigator, said, “For a hacker to be able to infiltrate Target's network and access the POS application, several PCI DSS and PA-DSS controls must not have been implemented effectively. Thus, Target was not compliant during the time of the breach. How can I be so sure? We handle these investigations for the payment card brands, and in all of the investigations we performed, the merchant was not compliant to PCI DSS controls during a breach."
In the end, PCI compliance at some level may be required by your merchant bank or your third-party payment processor. There are even some states incorporating PCI DSS into laws.
How does my organization become compliant?
The first step should be contacting your merchant bank or third-party payment processor. They can assist you with becoming PCI Compliant and navigating the different levels of requirements that exist. For example, if you simply take credit cards as payment but never actually store the information, you may need to comply with a subset of the requirements while organizations that store cardholder information and even use certain devices to do so may need to comply with a larger set.
Also, the PCI Council website (www.pcisecuritystandards.org) has a lot of official documentation related to PCI and PA-DSS compliance. The best place to start is with the Requirements and Security Assessment Procedures document:
The time is now…
An estimated 823 million records were exposed in 2013 and according to the Online Trust Alliance, 89% of the international incidents in 2013 could have been prevented. While there are no guarantees, the prevailing wisdom is that being PCI compliant and using a PA-DSS compliant payment application will certainly increase your cardholder data security and reduce your risk of a breach.