Any business that processes or stores credit and debit card data, whether it is involved in the retail space or some other category, will need to comply with the ever-evolving Payment Card Industry Data Security Standards (PCI DSS). This is a compliance program designed to keep payment card data safe and secure, despite the relentless hackers and fraudsters who would look to gain access to this information at any cost.
This is no easy task, as noted by Help Net Security contributor Mark Burnette. PCI DSS is an industry-created and industry-maintained set of rules designed to put forth the best security practices for merchants to follow. New versions of the protocol are constantly being unleashed, with PCI DSS 3.0 coming into effect in 2014. Failure to comply with PCI rules can result in huge fines of up to $100,000 per month, with punishment ramping up for merchants that experience breaches while out of compliance.
Clearly, PCI DSS is something every business that deals with payment cards needs to be aware of and follow. However, with such strict enforcement of the standards, that begs the question - does PCI DSS even help retailers protect their card information?
Is PCI DSS part of the problem?
At least one retail security expert thinks that standards set forth by PCI DSS are not adequate enough to set an effective baseline for holders of credit card information. Salva Gomzin, author of “Hacking Point of Sale: Payment Application Secrets, Threats and Solutions,” believes that PCI DSS is highly prescriptive and does not help much to protect businesses from threats.
The problem, Gomzin told tech publication Computing, is that PCI DSS is formed and modified largely by looking back at past events and putting measures into place reactively. However, because modern fraudsters are using technology in new ways to crack security protocols, best practices that worked last year - or even last month - may become outdated quickly, which leaves businesses vulnerable.
“The problem with PCI DSS is that it initially put some controls around the cardholder data that is stored on the hard drive,” says Gomzin. “That’s because 10 years ago, most of the security breaches were associated with card details stolen from hard drives because it was the easiest way to get card data: just penetrate the network, look for a POS machine and copy the information from the hard drive.”
This can be problematic because businesses often spend a lot of money on achieving compliance with PCI DSS, but at the end of the day, taking these measures does not seem to matter as much as it probably should.
If merchants really want to be secure, they need to go well beyond PCI DSS and deploy point-of-sale systems that will encrypt data more effectively. Whereas PCI DSS aims to make sensitive data harder to reach, encryption makes the information virtually useless to hackers, which may be a more effective approach in the long run.