New Business PCI Guidelines: Will They Work?

In the last few years, the theft of personal contact and payment information has occurred regularly—through individual identity theft in many cases, but also on a larger scale with several major business breaches. Both Target and Home Depot, major chain retailers, as well as JP Morgan Chase, Adobe, and several others have all experienced theft of client information within the last two years, each reporting several million consumers affected.

In an effort to put an end to this violation of consumer privacy, the Payment Card Industry (PCI) Security Standards Council issued a new set of guidelines for securing consumer information last year and indicated that compliant businesses were expected to be up-to-date by Jan. 1, 2015. If followed correctly, these new standards should limit the severity of business breaches in the future—if not prevent them outright.

But, will they work?

The council’s requirements hinge on the following three components:


Unfortunately, people are flawed, which often makes them the weakest link in data security. Just one person can cause a data breach by presenting hackers with an entry point (this is what occurred with Target in 2013). But, better training can help prevent many mistakes. Those who handle consumer information directly must be trained in how to best secure that data. Equally important is good communication between the business and third party service providers. The new standards require that businesses clearly articulate what aspects of data-security compliance service providers are expected to undertake, as well as their level of responsibility for any breaches. This prevents businesses from taking the fall for  third-party service provider mistakes.

Third Parties

The new standards also require updates to how third parties handle client information. Instead of assigning one set of credentials to all clients, services providers, such as Web hosting companies or payment gateways, are now required to create unique authentication credentials for each PCI client. (For instance, if Susie’s Muffins uses an outside merchant to process credit card payments and Joe’s Shoe Mart uses the same provider, Susie’s authentication information would be different from Joe’s credentials; even if one was compromised, the other would be safe.) In this way, even if an unauthorized party somehow gained access to one merchant’s account, the others would still be protected, limiting the scope of the breach. Additionally, third parties would have to identify themselves through a two-factor system in order to access client information for any reason—giving hackers two hoops to jump through and making it harder for them to break into private systems without a lot more work.

Testing Standards

Another aspect of the new standards is an increase in the level of penetration and vulnerability testing required. While many companies have stated in the past that they had a firewall in place, thereby meeting the security requirement, the level of security provided by that firewall might have been minimal at best. Not all firewalls are created equal. As consumer privacy is vital, the PCI Security Standards Council is expected to push both merchants and third party providers harder, by requiring that their systems be thoroughly tested to ensure that any potential vulnerability is discovered and neutralized.

While the implementation of new standards has the potential to increase security within smaller organizations and will bring definite changes to many external service providers, some security specialists advise that these standards should be viewed as a rough minimum for larger organizations, whose security needs may differ from the broad strokes of the PCI Council’s mandates. In order to maintain consumer trust, additional measures may be necessary.

Case Study: How Partnering With NTC Texas Changed a Business

Learn More

The truth is: once the information is out there, it’s vulnerable to attack. Our great Golden Age of Information flows both ways and can be used against us by those with greater knowledge of the technology at hand. But without risk, there can be no reward and in this case, the ability to upgrade technology and make smart choices can minimize the amount of risk to both consumers and businesses.

The new PCI standards are intended to help in transitioning to a more secure consumer world, and I think I speak for all consumers when I say I really hope they work.