When I was a kid and we would go out to dinner, my dad would often pay using a credit card.

The server would come over with an awkward, clunky device, put the credit card in it, and scan the card. By scan, I mean make an impression of the numbers on a piece of paper with a carbon receipt which he would then sign and each party would get a copy. There were no wires, no electronic transmissions of data, and no internet connections to worry about.

In those days, the storing, processing, and transmitting of credit card data was very much an analog process.

Along came magnetic strips, online shopping, and now chipped cards.

When the credit card industry moved into the digital space, it quickly realized the need to protect itself from digital fraud. Merchants and those responsible for handling the data needed to protect it in the same way they would protect physical currency.

Then, like now, there was a lack of cybersecurity expertise; credit card handlers knew they had to protect the data, but they didn’t necessarily know how.

The major credit card companies had a vested interest in helping companies protect the data, and so each developed their own security standards.

While a good first step, this wasn’t so good for anyone having to navigate multiple, different standards for each credit card company. In order to standardize and ease this burden, the Payment Card Industry Security Standards Council (PCI SSC) was formed in 2004, and the various policies were aligned to the Data Security Standards – PCI DSS.

Depending on the number of transactions and the amount of money processed, a merchant can become certified either by having a Qualified Security Assessor (QSA) validate that required controls are in place or by completing a (Read more...)