Do the Payment Card Industry Data Standards Reduce Cybercrime?

Yes, the title of this post was the discussion topic of Subcommittee on Emerging Threats, Cybersecurity and Science and Technology hearing held last week in Washington, DC. The goal was to examine the effectiveness of PCI-DSS (Payment Card Industry - Data Security Standards). Lately, the Heartland Payment System breach has brought extra attention to the PCI standards, which are known to provide a good foundation for governance and risk management strategy.

So what the two panels discussed whether the PCI standards are really effective in protecting consumer information and identity or not. Results were astonishing - from reasonable criticisms - to National Retail Federation taking aim at PCI Council.

In my opinion, the following Key points will be topics of discussion in upcoming PCI panel discussions and conferences -

• PCI Council noted that if companies follow all requirements of PCI standards, end-to-end encryption is not necessary.
• VISA noted that one possible change is to include a requirement in the PCI standards requiring the monitoring outgoing traffic for unusual activity.
• NRF discussed end-to-end encryption as a control, but noted that it'll be too expensive to implement.