In acknowledgement, dare I say celebration, of Payment Card Industry Data Security Standard, or PCI’s 10 anniversary, Bank Info Security published a review of the impact that PCI has had on the industry and its effectiveness:
We’ve asked experts in the U.S. Europe, India and Australia to offer their opinions about the efficacy of the PCI Data Security Standard and whether it will still be needed 10 years from now (see PCI DSS: The Asian Journey to Compliance). We’ve also spoken with experts on the PCI Council, too, including General Manager Stephen Orfei, Chief Security Officer Troy Leach and International Director Jeremy King. And the over-arching message has been the same – PCI may not be perfect, but its widespread adoption has dramatically improved card security. And the need for PCI is not going away anytime soon.
It’s easy to look at the payments landscape and see only the flaws, the security lapses and the breaches. Even with EMV chip deployment taking hold in the U.S. and in other parts of the world, important security issues remain. Payment card data is going to be vulnerable for quite some time – at least until the magnetic stripe is completely replaced with the chip, whether on a card or within a mobile device.
There is an acknowledgement that PCI is not going to resolved all the ills that the payment market endures around security and fraud, but it could be argued, the industry would have been worse off if PCI had not been in place when the major data breaches began to hit the industry 3-4 years ago:
Ten years ago, people weren’t doing anything,” Bob Russo, the former general manager of the PCI Security Standards Council, says of inadequate security measures. “A breach opens everybody’s eyes. But you have to keep reminding them.”
Reflecting back on the early days of the council, Russo says its members initially believed they could create a standard, work for about five years to ensure it was adopted, and then card security would no longer be a major issue.
“We thought everything would be secure by then,” he says. “We thought EMV was going to be the panacea; and we thought PCI might go away. Now we know that is not the case. Will PCI have to evolve? Yes. But I think PCI and EMV will come closer and closer together. In 10 years, they may not call it PCI. But there will be some form of PCI security 10 years from now.”
Overview by Sarah Grotta, Director, Debit Advisory Service at Mercator Advisory Group
Read the full story here
