The importance of a security standard can be measured not just in how accurate it is, but in how widely its effects are felt. Considering that the population of the United States alone holds just north of $1 trillion in credit card debt, it’s safe to say that the impact of the Payment Card Industry Data Security Standard (PCI DSS) reaches far, wide, and deep. And if we look closely at what the standard does, it’s clear that it’s not just about the card anymore. Any organization that conducts digital financial transactions of any sort need to demonstrate a commitment to security and willingness to conduct business on behalf of users in a safe environment.
PCI DSS is a compliance framework to protect debit, credit, and cash card holders against misuse of their personal data, and was created as a way to protect themselves, and to ensure trust with customers. It was developed through a collaboration among American Express, Discover, JCB, MasterCard, and Visa in the midst of increasing credit card activity on the web. As customer data touched more digital endpoints, these companies were seeing more vulnerabilities that required considerable time and resources to remediate. PCI DSS is the de facto standard for guiding security aspects of digital payment systems.
To be clear, however, the standard is not about just the data. As it’s written, it is “an actionable framework for developing a robust payment card data security process”. Note the word “processes”. PCI DSS isn’t so much about locking up user data, but rather, it is far broader in scope and intent.
This is especially important now that purchasing opportunities are increasingly enabled in non-traditional formats. It’s not just paying bills online, but the ability to buy and sell on mobile devices and through the Internet of Things (IoT). These are almost all governed by APIs, some of which are directly relevant to financial transactions. The proliferation of API usage means that that data can be delivered to users in a highly usable and customized way, but to do that means more endpoints and more touches. By extension, that unfortunately means more potential to be exposed. One could make the case that it’s now APIs and the cloud that run the global economy. Data is now the foundation, and all these technology innovations facilitate an expanding latticework of processes that create opportunities for credit, debit, and other payment cards to be used.
While data sits in software and moves around and between applications, it’s processes that facilitate all this interaction. Processes identify, transact, and deliver user data where it can be most meaningful. More financial organizations are relying on the cloud to host and operate their technology functions, which means they’re using more web services that engage processes. Every payment requires multiple API calls and even more processes are triggered. Staying on top of the security for all of this activity is critical, but can be overwhelming. Organizations that are PCI-compliant with their public cloud offerings, however, can take advantage of continuous cloud monitoring solutions like Evident.io Security Platform (ESP) to ensure they are aware of the security health of their cloud environment.
Purchasing opportunities are increasingly enabled on mobile devices and through the Internet of Things (IoT). These are almost all governed by APIs, some of which are directly relevant to financial transactions. The proliferation of API usage means that that data can be delivered to users in a highly usable and customized way, but to do that means more endpoints and more touches. By extension, that unfortunately means more potential to be exposed, so understanding where potential threats are, and invoking a way to fix them, is critical not just as a technology component, but as a business imperative.
Being PCI-compliant, therefore, is a necessity for any organization that makes, or facilitates, digital financial transactions. Companies that use APIs and cloud applications as forms of currency should take great care to ensure PCI DSS compliance so they can be employed for payment services with other vendors, and in their own right. When they do that, it means that customers using their services can safely operate, confident in the knowledge that their user data meets the strictest and most widely accepted requirements.