Today, payment cards are such a ubiquitous part of our daily financial life that it's hard to imagine a time before they existed. Completing payment for a latte at your local coffee shop with a credit card now only takes a few minutes. It’s hard to imagine a time when electronic network-connected card readers didn’t exist. The first credit cards were introduced more than 70 years ago. During those early years, it was standard practice for businesses to call credit card companies to verify card information for each payment. It was a time-consuming process and PCI security was likely not top of mind. By the time they had approved your transaction, several minutes had gone by, and your latte was likely teetering on tepid.
As the use of card payment increased, payment systems evolved – and so did the risks to protect data. The driving force behind industry regulations to protect payment card data came in the late 1990s with the widespread adoption of the internet and e-commerce. With the birth and rapid growth of online shopping came increased fraud and malware created to steal credit and debit card information. According to TechTarget, between 1988 and 1999, two of the major card brands documented more than $750M of losses from online fraud. The regulation significantly raised the bar, vastly improving the way in which organizations protect sensitive payment card data, also known as Payment Card Industry (PCI) security compliance.
Maintaining secure payment systems that allow consumers to easily make payment card transactions without risking the privacy of their personal data is a critical part of financial data security. Compliance with PCI security requirements can help keep you and your customers’ sensitive personal data secure and out of the hands of cybercriminals. Data breaches result in the compromise of several million data records each year and can result in lost confidence, bad press, legal challenges and declining profits.
According to the Verizon 2023 Data Breach Investigations Report (DBIR), 83% of data breaches in 2022 involved external actors—the majority being financially motivated. 84% of data breach caseloads entailed payment account data.1
Large-scale card data breaches happen when threat actors use nefarious tactics, such as installing malicious code on a web application, SQL injections, phishing or a range of other methods to access systems. These tactics give threat actors access to their target's systems, potentially allowing them to access and control a lot of data. The sheer amount of payment card data stored in databases and the cloud poses substantial risks to consumers concerned about the security of their data – particularly in light of the numerous high-profile data breaches over the years that resulted in the compromise of millions of payment card data records.
All these factors, and more, are pushing data security and compliance to the forefront in the form of industry regulations for modern business.
On March 31, 2024, compliance with the latest edition of the Data Security Standard, PCI DSS v4.0, will become mandatory, and v3.2.1 retires.