PCI DSS. It's quite a mouthful. The acronym stands for payment card industry data security standard, and the deadline for merchant compliance is looming. September 30, to be exact. The rules went into broad effect years ago, but enforcement is being upped significantly as of October 1.

To that, I say it's about time.

At the highest level, PCI DSS represents a common set of tools and measurements to help ensure the safe handling of sensitive card and payment information. More specifically, it's a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

PCI DSS was created in January 2005 by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. According to its web site, its mission is "to enhance payment account data security by fostering broad adoption of the PCI security standards."

Well after two years of "fostering broad adoption" i.e. encouraging banks and merchants to act, the big guys in the PCI are finally putting their collective feet down and demanding compliance. Or else.

The details
As of September 30, Visa, MasterCard Worldwide, Discover, American Express and JCB will penalize entities that store, process or transmit card holder data but don't comply with 12 detailed security-related requirements. (The PCI Security Standards Council does not anticipate making changes to the standard more frequently than on an annual basis.)

This month's issue of Security Insights includes a technical article that dives into the details, but the requirements are designed to:

• Build and maintain a secure network
• Protect cardholder data
• Ensure the maintenance of vulnerability programs
• Implement strong access control measures
• Regularly monitor and test networks
• Ensure the maintenance of information security policies

A collaborative effort
While the deadline is approaching fast, preparation for PCI DSS compliance has been a long time coming. The united movement we see now is a collaborative evolution of earlier efforts by Visa and MasterCard to ensure payment security through Visa's Account Information Security (AIS) and Cardholder Information Security (CISP) programs, and MasterCard's Side Data Protection (SDP) program.

Last year Visa launched a compliance acceleration program to get Level 1 and Level 2 merchants to implement the PCI requirements—and was the first to set September 30, 2007 as the deadline. The program includes incentives and penalties, including fines of up to US$25,000 per month and loss of tiered interchange rates for merchants that fail to demonstrate compliance. Interchange rates are the commissions that merchants pay per transaction, with the most active merchants paying less than their smaller counterparts. The threat of losing those rates, of course, is a major driver of compliance.

On the flip side, Visa is also rewarding merchants that demonstrate PCI compliance. According an article last month in Computerworld, Visa has set aside US$20 million in reward money under the incentive program and has already paid out about US$7 million to compliant companies.

This move is long overdue. Over the past year we've seen a number of security breaches at major retailers, most notably the one suffered by TJX Companies, which operates more than 2,000 retail stores under brands such as Marshalls, T.J. Maxx, Bob's Stores, HomeGoods and A.J. Wright. In January of this year the company announced that more than 45 million customer debit and credit card numbers in the United States and abroad had been stolen. The breach was the largest ever, eclipsing the 40 million records compromised in 2005 at CardSystems Solutions.

Wheels in motion
As a result of all this effort, merchants are apparently responding and taking action, finally. In a blog post last month, I reported that, according to Visa, 96 percent of the largest organizations that accept debit and credit cards have stopped storing magnetic stripe information in their systems?meeting a key PCI requirement. Clearly no one wants to be the next TJX. In another recent post I discussed why the imminent holiday shopping season should impact the rate of PCI compliance before the deadline.

So what does this mean for the security industry? Smart vendors, McAfee included, are focused on providing solutions to help merchants both achieve and demonstrate PCI compliance. Every business and every network is different, so PCI DSS controls must be tailored to an organization's particular infrastructure. The key is to speak with your security vendor about where PCI compliance sits on your list of priorities, and then develop a strategy for filling any gaps in the process, people and technology surrounding it.

Buyers beware: Remember that you can't buy PCI compliance and should shy away from any vendor that makes such claims. Much like any other form of compliance (e.g. SOX, HIPAA, FISMA, etc), it is ultimately the right combination of people, process and technology that will get your organization across the finish line.

I still think the best recipe for improving merchant security and protecting customer data across the board will be a combination of mandatory PCI compliance and legislative action (see my blog post on this), but without a doubt September 30 will mark a significant step forward for the security industry—and for the safety of card-carrying consumers around the world.