Analysis: PCI DSS, five years on

Last month marked the five-year anniversary of the PCI Security Standards Council. Looking back now, it is amazing to see how far we have come as a result of the ongoing participation of security professionals like you. An integral part of the PCI community, you have helped steer the process, driving PCI awareness and adoption levels that have led to the overall growth and improvement of payment card security we see today.

At the time of our launch, PCI adoption rates were at levels that matched lack of awareness in the market. Our stakeholders told us, and we recognised the challenge with the multiple ways that merchants had to tackle data security and report their compliance to each of the payment card brands. We listened and knew there had to be a change in order to increase adoption of PCI standards and improve payment data security.

This required a forum for those using the PCI standards to input their experience and feedback in the development of the guidelines. We had to find an avenue for listening and working with those on the front lines – this would be the driver for change.

To that end, you and the rest of our community have responded in force, pushing the evolution of the PCI rules and playing an instrumental role in producing critical supplemental guidance on topics of great interest and importance to the market – including, EMV, point-to-point encryption, wireless, skimming prevention, tokenisation – that underscore our commitment to provide what stakeholders ask for.

At Visa, we are encouraged that compliance validation statistics for level-one merchants have moved to 97 percent in the United States. We are also seeing gains in adoption of the standards among the smaller merchant community. As a result of our collective efforts, we are seeing fewer large-scale card data breaches in the marketplace. And when breaches do occur, entities that have applied the PCI standards are in a better position to mitigate the impact of the compromise.

To drive security forward in the midst of a rapidly evolving payments system, we will have to continue to focus on and listen to where the market is going and what you are telling us. This means that the standard, our very core, needs to continue to evolve. And the way we do that continues to be through feedback from the community.

This community must continue to be the engine that propels us forward. With the ongoing involvement and input from you and your peers that has brought us this far, together as champions of PCI, we will ensure that in a changing payments environment, the security of card holder data remains paramount.

30 seconds on:

• Back in the day Visa level-one PCI compliance was tracking at only 12 percent in March 2006, and PCI efforts were considered primarily a U.S. concern, after the recent migration to EMV in Europe.
• Consequently... As a result, U.S. data breaches in 2004-05 were possible through basic attacks, like SQL injection. But the lack of initial buy-in led to similar breaches in subsequent years.
• Reaching out The council knew it couldn't do it alone. We needed our stakeholders' expertise to succeed. So we established a strong community of more than 600 participating organizations.
• Future efforts You've told us you want more guidance on mobile payments and further exploration of P2PE, cloud, virtual payment cards, and new payment formats and other technologies.