PCI DSS Impact on the Payment Card Industry
Conformance to the PCI data security standard represented by PCI has become a "cost of doing business." In order to participate in the card payment-processing industry, conformance is not negotiable. The only enforcement necessary to ensure adoption of the standard is exclusion from participation in the industry. Visa, MasterCard, and other card issuers have "decertified" service providers for nonconformance with the standard. The most notable of these events have occurred after disclosure of security breaches resulting in loss of cardholder private data.
From a data security standpoint, the PCI standard represents commonly accepted data security standards and practices. There is nothing extraordinary in the standard. It is a set of standard best practices already well accepted in the IT security field. While the PCI standard represents basic security practices, the imposition of the PCI standard on the card payment-processing industry has had a dramatic impact on the technical infrastructure of the industry.
PCI has changed the focus of every software developer of card payment-processing software in any form to shift from adding feature functionality and reducing cost to restructuring their software to accommodate the standard. The impact has been felt across the spectrum of commercial software and system providers to individual retailers who develop and maintain their own systems. Similar to the general impact of SOX, the PCI standard has added vocabulary regarding standards, controls, and audits to an entire industry from smallest to largest and across the spectrum of industries.
A specialized cottage industry has arisen from the introduction of the standard around evaluating conformance to the PCI standard, testing for conformance, and training companies on how to assess and comply with the standard. While the standard does not represent cutting-edge security technology, the introduction and enforced compliance with the standard changed the entire card payment-processing industry in less than 4 years.
Source: IT Auditing: Using Controls to Protect Information Assets by Chris Davis 2007
CompliancesForum provide FREE template, checklist, and update for your Regulatory Compliance need: Basel II Accord, Gramm Leach Bliley (GLBA), Healthcare Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS), Sarbanes Oxley Act (SOA)
