History of PCI-DSS Regulations
In an age of advanced information technology (IT), people have come up with various ways of embracing every available avenue of IT and credit card payments have not been left behind. Credit card companies have diversified their payment options to make transactions easy for cardholders. Despite the progressive efforts made, there are still loopholes where malicious individuals are able to manipulate information systems and make away with revenue. In a bid to fight the war against credit card fraud, many steps have been taken such as the coming together of major credit card companies to form a regulatory board tasked with ensuring quality assurance for cardholders. Over the years, considerable steps have been made to improve security. Revisions that are constantly being made to the regulations and requirements have also helped ensure client information is secured.
Keywords: Credit Card, Fraud, System Security.
History of PCI-DSS Regulations
The Payment Card Industry Data Security Standard (PCI-DSS) refers to a set of acceptable policies that companies which accept and handle credit card information are expected to adhere to. PCI standards are created by the credit card companies and passed to the Payment Card Industries Security Council for approval and implementation (Woods &Linesman, 2009). These set of regulations were arrived at in order to protect credit card holders from the numerous cases of credit card fraud that were being witnessed. Notably, this move helped secure cardholders’ information thus reducing instances of identity theft. Given that standards required constant revision to ensure their performance, PCI-DSS regulations are constantly assessed for performance by either an external Qualified Security Assessor (QSA) or a firm appointed Internal Security Assessor (ISA). This paper will discuss the history of PCI-DSS laws, as well as the introduction of a credit card council and the factors that led to the said introduction.
History of PCI-DSS
Between 1988 and 1998, two credit card companies: MasterCard and Visa Card reported losses of close to $750 million (Woods ; Lineman, 2009), although this amount, when compared to the number of transactions that were being conducted annually, was a drop in the ocean. However, it was during this time that the internet era dawned and scammers started exploring different avenues for credit card fraud. As credit card merchants embraced the concept of internet trading via credit cards, fraudsters took advantage of the non-stringent laws and in some cases, nonexistent laws that surrounded credit cards. The fact that cybersecurity had not been addressed exhaustively as it is today also acted as one of the factors encouraging fraud.
In October 1999, Visa officially approved a cardholder information security program that was aimed at reducing the instances of identity theft and credit card fraud. Card Information Security Program (CISP) by Visa is considered to be the first precursor to the many PCI-DSS laws. CISP has since been superseded by PCI-DSS (Woods ; Linesman, 2009). In 2000, Cyber Source reported that online revenue that had been lost as a result of credit card fraud was over $1.5billion and reported a possibility of the figure tripling if appropriate action was not taken in due time. In May 2001, brands were still struggling to comply with Visa’s CISP requirements. This struggle was made even more complicated by the existence of disparities between Visa North American Guidelines and international guidelines. Due to the lack of a single common standard among different credit card brands, security guidelines implemented were largely unsuccessful. By the time July 2004 rolled around, there were reports of rampant web insecurity targeted attacks on web infrastructure. The most identified methods of fraud were: fraudsters planting keystroke loggers and Trojans on vulnerable machines and thereafter, use the collected malware to steal people’s credit card information.
On 15th December 2004, the first of many PCI-DSS regulations was put into operation (Black, Fong, Okun ; Gaucher, 2008). PCI-DSS 1.0 was the first unified regulation that was agreed on by the five major credit card brands namely: MasterCard, Visa, American Express, Discover and JCB. Compliance with these standards was made mandatory for all merchants as well as any other organizations that were involved in the processing of credit card payments. The purpose of this standardization was to close every existing loophole in the cyber world that could be exploited by scammers and phishers. The standardization was hailed by merchants and credit card companies as being a major milestone in the fight against fraud. This was a breakthrough that offered incredible potential for improvement in the future. By June 2005, all merchants who dealt with a minimum of 20,000 credit cards annually were expected to be PCI-DSS 1.0 compliant (Black, Fong, Okun ; Gaucher, 2008). While many traders allocated their resources to improving their IT systems, not everyone was able to comply with the set deadline.
Requirements of PCI DSS
The PCI DSS had compliance requirements that were organized in six (6) standards (Miller, Fleet, Celenza ; Shust, 2014). The first requirement was for companies to build and maintain a secure network system, the second was that companies were expected to the card holder’s information. Third, companies were tasked with developing and maintain a program that acted to manage vulnerabilities (Sheth & Thakker, 2011). They were also responsible for the implementation of strong access control measures as well as monitoring and testing their networks (Miller, Fleet, Celenza & Shust, 2014). The final requirement was that companies would maintain an information security system.
Requirements for building a secure network system
The PCI DSS also provided the following standards that would be expected of companies building network systems (Morse & Raval, 2008).
1. Installation and maintenance of a firewall configuration that would protect the client’s card information. The firewall was expected to scan all network activities and block any unauthorized network from gaining access into the system
2. Ensuring that defaults that were supplied by vendors in software were changed. Defaults such as passwords and other security components can easily be intercepted by fraudsters thus risking consumer’s information.
3. Ensuring that stored card information is stored. This can be done through encryption of said information, masking as well as truncation (Sheth & Thakker, 2011).
4. Over open networks, cardholder information is to be encrypted. This is to avoid interception and use by malicious individuals. Encryption is to include the use of trusted keys as well as certifications in communication.
5. Ensuring every system available is protected from malware through the use of regular checks and regularly updating the system’s antivirus malware (Sheth ; Thakker, 2011). Since malware can be delivered in a number of ways such as employee emails and information downloaded online, constant vigilance is paramount.
6. Developing and maintaining secure systems. Creation of system on its own is not sufficient. Developers are expected to ensure the systems are secure and that every available vulnerability is addressed through the installation of security patches.
7. Ensuring that only authorized individuals have access to cardholder information. Even in the authorization, the number of people authorized was to be kept to the minimum possible.
8. Authentication and identification of individuals with access to information. This helps in the identification of breach sources in case of one.
9. Restricting physical access to card information (Sheth ; Thakker, 2011).
10. Tracking and monitoring all card information and flagging in case of any abnormalities
11. Regularly testing the security systems to check if they are functioning according to the expected levels.
12. Maintaining a system of information security for every employee and any personnel in data processing.
On 6th September 2006, an improvement on the 1.0 version was released (Morse ; Raval, 2008). This new version came with a review of the requirement 6.6. The revision required for every code that had been customized to be reviewed by a professional while looking out for any vulnerabilities (Morse ; Raval, 2008). It also required for every application that had web-facing applications to have firewalls installed in them. On the same day, the five major credit companies announced the creation of the PCI Security Standards Council (PCI SSC). The council was an independent group from all of the five companies that were tasked with managing the standards going forward (Miller, Fleet, Celenza ; Shust, 2014). This move was made with the intention of ensuring equal representation of all the companies’ interests as well as safeguarding consumer’s information.
In December 2006, TJX, a data company, discovered and reported a major breach in their network (Peretti, 2008). The breach was said to have originated from their wireless network and ended up exposing customer information. Although it was just one of the many breaches experienced by companies, this one is noteworthy because after a one-month investigation, it was discovered that more than 45 million TJX customers had been affected by the breach (Peretti, 2008). This put internet security on the global map and helped direct the much-needed attention towards the securing of said information. The TJX incident has been used by PCI compliance experts as an example when directing companies on what not to do in an attempt to secure credit card information.
In April 2007, there was an attempt to have the PCI standards relaxed by one Phill Mellinger who criticized the high bars and expectations that merchants were expected to comply with (Karanja, 2017). This was after an estimation that in 2007, almost 60% of the merchants had still not complied with the standards set. Mr. Mellinger attributed this non compliance to supposedly high standards. There was also increased pressure by the SCC to ease standards by merchants. The increase in the pressure was so much to an extent that the PCI-DSS general manager, Bob Russo had to speak out and defend the standards. He said that “Everyone involved in the payment process has a duty to consumers to protect their data to the highest standards. This is the baseline principle and will not be achieved by loosening of the PCI DSS requirements” (Karanja, 2017). It is also important to note that many companies did not view the PCI requirements with the importance it deserved. This can be seen in the underestimating of PCI costs by companies (Karanja, 2017). A study conducted in 2007 revealed that many the costs used in PCI compliance were often more than 40% of their estimates.
The Payment Application Data Security Standard (PA DSS) made its debut in early 2008. A sister to PCI DSS, PA DSS was aimed at securing payment information made available to software vendors and to develop other software that would help in the securing of client information. PA DSS also helped in the securing of software that did not store information such as PIN data, full magnetic strive, and CVV2.
Other notable revisions
In October 2008, version 1.2 was released and focused mainly on addressing the evolving risks and threats that came with a more advanced internet age, enhancing clarity in understanding the PCI DSS requirements and increasing the flexibility of the regulations.
In 2009 August, version 1.2.1 was released and with it, brought forward corrections that were aimed at creating clarity as well as consistency in the regulations and the documents that were used.
In October 2010, version 2.0 was released. 3.0 was released in November 2013 and implemented from January 2014 to June 2015. 3.1 was released in April 2015 and was used until October 2016. Version 3.1.2 was released and 2016 April and is expected to work until December 2018 where the 3.2 version that was released in May 2018 is expected to take effect from January 1 2019.
The PCI SSC
Formed on 7th October 2006, the PCI SSC was tasked with managing the changes in the PCI DSS standards as well as ensuring the standards are constantly revised to encompass the various changes in the internet age (Network, 2006). For one to be a member of the council, they are expected to be members of the five credit companies that were present during its inception (Network, 2006). The top managerial positions in the council are also closed to members of the said companies. However, interested outsiders can participate by registering themselves as members of participating organizations that are organized into special interest groups (Network, 2006).
In conclusion, considerable steps have been made towards improving web security as well as ensuring credit card information is secured at the highest possible standards. By forming a joint body, credit card companies ensured the interests of cardholders were given topmost priority. The measures that have been implemented have so far seen a reduction in credit card fraud as compared to the incidences that were there before the formation of a regulatory structure as well as a council to implement it. It is, however, important to note that there are still occurrences of fraud despite the many regulations. This calls for increased vigilance in combating the said occurrences.
Black, P. E., Fong, E., Okun, V., ; Gaucher, R. (2008). Software assurance tools: Web application security scanner functional specification version 1.0. Special Publication, 500-269.
Karanja, E. (2017). The role of the chief information security officer in the management of IT security. Information ; Computer Security, 25(3), 300-329.
Network, U. D. (2006). WED.
Miller Jr, H. S., Fleet, M. R., Celenza, B. J., ; Shust, D. (2014). U.S. Patent No. 8,886,937. Washington, DC: U.S. Patent and Trademark Office.
Morse, E. A., ; Raval, V. (2008). PCI DSS: Payment card industry data security standards in context. Computer Law ; Security Review, 24(6), 540-554.
Peretti, K. K. (2008). Data breaches: what the underground world of carding reveals. Santa Clara Computer ; High Tech. LJ, 25, 375.
Sheth, C., ; Thakker, R. (2011, February). Performance evaluation and comparative analysis of network firewalls. In Devices and communications (telecom), 2011 international conference on (pp. 1-5). IEEE.
Wood, C. C., ; Lineman, D. (2009). Information Security Policies Made Easy Version 11. Information Shield, Inc.