Industry Cybersecurity Standards

Global regulations or guidelines are generally industry based. One of the oldest is the Payment Card Industry (PCI) Data Security Standard (DSS). We will focus in this chapter on the PCI-DSS in depth. PCI was first seen in 2004.

In the early 2000s, credit card data breaches were big in the news. TJX Companies had 45.6 million credit and debit card numbers stolen over an 18-month period by Albert Gonzalez. This breach ended in 2007 and topped the CardSystems Solutions 2005 data breach of 40 million records. Gonzalez masterminded the theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 to 2007: the biggest such fraud in history at that time. ¹ SQL injections were used to deploy backdoors on several corporate systems in order to launch packet sniffing attacks which allowed him to steal computer data from internal corporate networks. ²

Regulations or industry guidelines may be prescriptive and align to a specific framework. As an example, the Payment Card Industry Data Security Standard (PCI-DSS) is a guideline for banks, merchants, and data processors that process credit card data. It is enforced by the PCI Security Council and their member banks.

PCI is the most frequently used frameworks in the US. ³ This chapter will focus on the PCI.