The Payment Card Industry Data Security Standard (PCI) is an excellent set of security requirements with which all of the major Credit Card companies expect merchants to comply. It includes technological, operational, and physical security measures designed to keep credit cards secure. To avoid penalties and fines, merchants are required to validate their business practices to these standards, and by this time, many merchants have invested a huge amount of time, effort and money into their PCI Compliance programs. As a security company, we applaud any measure that causes retailers to investigate and remediate their security vulnerabilities. While the effectiveness of PCI as a security standard will be evaluated over time, it appears that many retailers cannot see the forest for all of the trees that are in the way.
PCI is a credit card security standard. It deals with protecting sensitive cardholder data. Other data such as the name on the credit card, expiration date or anything else which can be tied back the primary account number on the credit card is considered to be cardholder data as well, but the key is that for PCI to be concerned with any data in general, credit cards have to be involved.
Merchants are so concerned with validating their compliance to their acquiring bank or to the credit card companies directly, that we are seeing many of them ignore other gaps in their security because they are not in scope for PCI. With enough personal information, thieves can steal someone's identity. Many retailers, especially fast casual restaurants with a loyalty program, have the names, birth dates, home addresses and other sensitive data about their customers. We have even see retailers ask for social security numbers which they use as the "ID" number for their programs. This personal data is just as critical to protect as credit cards, but your bank will not be checking on that security.
Here is the ironic part, PCI is not a law. The credit card companies are attempting to self-regulate security without the intervention or supervision of the government. On the other hand, there are both federal and state laws that concern themselves with protecting sensitive personal information which could be used to perpetrate identity theft. In fact, it is more devastating to a patron to have a criminal take personal information and obtain illegal (but legitimate) credit cards through identity theft than to have fraudulent credit card purchases made from stolen credit card data. The cardholder has built-in protection from fraudulent purchases made on their credit cards, but an identity thief who has established numerous illegal credit cards, or purchased assets in someone's name can destroy the credit score of victim for years. It is not uncommon for some identity theft victims to spend several years in court trying to reclaim their good name and defend themselves against angry creditors.
While it is true that PCI only concerns itself with credit cards, as a merchant, think about security holistically if you want to protect your patrons. If you have sensitive data of any kind, protect it. The recent stories about the identity theft from New York and Georgia should be enough to convince anyone that this issue should be on the mind of everyone who collects sensitive data (even if your bank is not asking about it).
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.