With the Payment Card Industry Security Standards Council working on updates to the PCI DSS guidelines, the industry is placing a new focus on security breaches and malware hacks. Although unfortunate, each retail breach does expose a weakness in existing PCI security standards; recognizing these vulnerabilities is leading to the realization that a fresh evaluation of security liabilities is called for. How will this affect the future of PCI compliance, and will the demand for PCI compliant hosting increase as a result?

Potential Vulnerabilities
While the PCI security guidelines offer a comprehensive system for protecting cardholder data, a certain amount of merchant accountability remains. For example, many systems are protected by weak passwords, making this one of the primary concerns of the Security Standards Council.

In addition to network attacks, card issuers and merchants are also expressing growing concerns over new payment technologies, like mobile payments and emerging e-commerce transaction methods. Even in markets where PIN transactions are the existing standard, PCI compliance challenges remain as the interest in mobile commerce continues to expand.

Globally, the EMV card-security standard offers an additional level of protection that the United States has yet to adopt, although ATMs were scheduled to achieve compliance by April 2013 and the target date for card data processing via other methods is October 2015. EMV has significantly reduced fraud where cards are physically present in Europe and elsewhere in the world, particularly in ATM skimming, an issue that is still very much a concern within the U.S.

Finally, the vast increase in cloud data storage is changing the game of PCI compliance, despite the recent updates to the PCI DSS that specifically address vulnerabilities in the cloud. The saved expense of moving storage and processing into the virtual environment is too tempting for businesses to ignore, yet many merchants assume that they're using a PCI compliant hosting provider for virtual data access and storage, when this may not always be the case.

Global Changes
Perhaps the biggest forthcoming change in PCI DSS is the expanding international scope of these merchant guidelines. The Security Council now includes a board of advisers with representatives from every major global card market, including Africa and the Middle East. This allows the industry to better position itself for addressing existing and future card risks in a more comprehensive way, and includes the much-needed global perspective about what aspects of the PCI DSS are currently working and where the primary challenges are. Small merchants from all different countries are at risk for targeted attacks, and remain one of the most vulnerable groups to hackers and malware.

Going Forward
Although changes are necessary, getting U.S. merchants to conform to the EMV is not a cure-all for guaranteeing total data security either. While EMV does show a marked reduction in vulnerabilities during card-present transactions, this is only one aspect of ensuring the security of cardholder data.

Card-not-present transactions are not improved through EMV standards, so e-commerce sites and mobile payments-perhaps the most quickly growing segment of merchants-remain at risk. End-to-end encryption offers one solution for minimizing card-not-resent vulnerabilities, but merchants again will have to assume accountability by ensuring that they are correctly storing and transmitting card data in ways that aren't leaving sensitive information vulnerable.

The Council is currently taking steps to discuss which updates should be issued later on this year, and how emerging technologies and changes in payments are going to impact PCI compliance for businesses of all sizes.

PCI compliant hosting is still required even if you're shifting your storage and operations to the cloud for greater convenience.