All merchants who accept credit cards are now subject to strict Payment Card Industry standards, rules, and regulations, which require a level of security that took about five years to finally implement.

PCI exists to increase credit card security and, among other goals, to stave off government intervention. While significant effort has been made to improve the security of credit card data processing, adequate attention has yet to be given to the identification, authentication, and accountability of cardholders. (more…)

Looks like congress feels like credit card companies haven’t done enough to stop online fraud and identity theft. The general feeling from lawmakers was that while the PCI standard does provide guidelines on how to protect customer card data and personal information, it isn’t effective at addressing ever changing threats. Lawmakers used an example of a company that had recently passed PCI compliance and was compromised while the actual certification was being granted.

Predictably representatives from the PCI council and the cards industry defended the standard and said that any company that had been shown to be breached was in violation of one of the standards at the time.

The reality of this all is that evidence of a breach doesn’t invalidate a standard. No regulation is going to stop online fraud, but it can dramatically reduce the risk as opposed to the absence of the standard. The real question should be how many breaches would have occurred without the standard and how must the standard evolve to be more effective and meet the worlds changing threat.