Documents from the PCI Council, MasterCard, and Visa clearly indicate that Issuers are required to be PCI DSS compliant (see Learn More below). Yet many people in the card issuing industry are either unaware or confused about this. None of these requirements are new and many have been in-place for more than a decade. What could be responsible for the confusion? And what does it all mean?
PCI DSS receives a great deal of attention from organizations on the acquiring side of the payment card industry. Merchant banks, payment processors, merchants, and their service providers have been the primary focus of the card brand compliance programs since the inception of the PCI DSS standard in late 2004. The major concern of these programs was to stem the increasing tide of breaches in this side of the industry (see Acquiring-side Breaches below). There were several reasons why these organizations were seen as risky:
These factors and the rise in major breaches over the first decade of the PCI DSS (first in e-commerce and later in POS systems), kept the focus squarely on the acquiring side of the industry.
In effect, Issuers caught a compliance break because they were less of a risk. Specifically:
Consequently, Issuers are expected to be compliant but have never been required to demonstrate compliance on a regular basis. Given all of this it’s easy to see how compliance could be considered a contracting issue or someone else’s problem.
While requirements to validate compliance vary from card brand to card brand, it can be required. Visa requires DSS assessments if a member changes their VisaNet end point. A data breach requires a forensic review against the DSS. Closed loop brands such as Amex don’t have third party issuers and have their own rules reporting to themselves. And while Issuer breaches are rarer, they are not unheard of. Not only are breaches at issuing banks less common, they are frequently smaller, often exploiting third-parties and non-core systems, and target PII and bank accounts directly (rather than credit cards). Finally, information on issuer breaches tends to be less accurate, detailed, and complete.
None of this lets Issuers out of their DSS responsibilities. And even though they might not be required to validate compliance today, they still need to run a program including
Some people will argue that nothing much has changed since PCI first emerged and that Issuers are still low risk and should get a pass. While it’s true that Issuers may be at lower risk of breach than other card entities that isn’t the entire story. The threat landscape is dramatically different including:
For organizations not required to validate, gaps can easily fly under the radar. Gaps in logging and security testing are common in organizations that have never validated. Why would anyone expect this to be different for Issuers.
In the end, organizations that become complacent about risk management may find their non-compliance leads to a data breach.
When you need to start the deep dive into PCI DSS, we suggest you read https://controlgap.com/blog/6-Ways-to-Deal-with-the-Magnitude-of-PCI-DSS which looks at the following:
[FAQ 1217] Does the PCI DSS apply to issuers? https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Does-the-PCI-DSS-apply-to-issuers
[DSS 321] PCI DSS v3.2.1 https://www.pcisecuritystandards.org/documents/PCIDSSv3-2-1.pdf
[Visa#1] Issuers and Payment Card Industry Security Standards (Undated) https://usa.visa.com/content/dam/VCOM/global/partner-with-us/documents/issuers-and-payment-card-industry-security-standards.pdf
[Visa#2] Issuers’ Payment Card Industry Data Security Standard Frequently Asked Questions (2011) https://usa.visa.com/dam/VCOM/download/merchants/bulletin-issuer-pci-dss-faq-03312011.pdf
[Visa#3] visa-international-operating-regulations-main.pdf (2013) https://usa.visa.com/dam/VCOM/download/merchants/visa-international-operating-regulations-main.pdf
[MC#1] New Cybersecurity Standards & Programs Chapter (2019) https://www.mastercard.com/content/dam/public/mastercardcom/globalrisk/pdf/New-Cybersecurity-Standards-and-Programs-Chapter-v1.0-FINAL-1.pdf