Industry Observations

PCI-DSS: Pioneer for A New Data Protection Era

In the current data compliance and data security climate, empowered regulators are really flexing their muscles. Within the space of a few days in early July this year, the UK’s Information Commissioner’s Office (ICO) announced its intention to fine just two companies in the neighborhood of $350 million for GDPR breaches.

That represents a massive shift in the financial jeopardy faced by organizations that fail to protect data. In the same week, the ICO published its annual report, which revealed that in the year before GDPR came into force, it had issued a “record-breaking” level of monetary penalties. But that record-breaking year saw it hand out 22 fines totaling just £3 million (around $3.7 million). What a difference a week makes.

As those fines were revealed, GDPR had been in operation for less than 18 months. Both companies had suffered data breaches affecting customer payment card data, and before the government-backed authority provided by GDPR, important voluntary standards such as PCI DSS provided a framework for organizations to protect this kind of user data from exposure.

Despite the obvious headline-grabbing impact of GDPR, PCI DSS has stood the test of time. This year, it will reach its 15th birthday and remains internationally recognized as both an important standard in its own right, while playing a role in broader GDPR compliance.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard set by the five major payment brands and industry stakeholders to protect user data from exposure. It is a “self-regulating” industry standard, which means there are no governmental regulations covering compliance with it, and enforcement is left to the individual payment brands. Any organization that deals with credit card information must take steps to protect this information as it is used, stored and transmitted. Organizations that suffer a breach and have not taken steps to ensure compliance can be penalized, and in some cases may even be prohibited from working with specific payment brands.

The longevity and continued relevance of PCI DSS underline what an important standard it remains in an era when data protection and security regulations are stronger and more powerful than ever.

For part two of our PCI compliance blog series, we will focus on the further evolution of PCI activity: PCI Software Security Framework (PCI SSF). Stay tuned!