Chapter 3

PCI

If a lot of cures are suggested for a disease, it means that disease is incurable.

—Anton Chekhov

Standards are an interesting phenomenon, especially in the information technology field. On the one hand, they create bureaucracy, kill creativity, and scare away many talented people. On the other hand, standards save resources, provide reliability, and allow totally different people and organizations to speak to each other using the same language.

In the payment card industry (PCI), this phenomenon is even more interesting. There are established security standards without underlying technology standards. Simply put, most security standards for payment applications tell you what to protect without explaining how to do it. This in no way means that the technology does not exist. It's just not defined and not standardized enough.

These days, whenever there is a discussion about security standards regulating payment applications, the first thing that comes to mind is PCI. Such an instinct is unsurprising today because, since 2004, PCI standards have been filling the niche that was empty for a long time. However, it does not mean that PCI rules are the only ones regulating payments. There are other standards which influence the industry, especially these days when new promising technologies such as P2PE come to the arena and bring with them a new wave of hitherto unknown hardware and software requirements. This chapter reviews “known” PCI standards. Other standards that ...