The credit card industry and businesses are at odds now, debating whether the latest security standards implemented by credit card companies are efficient and practical in the prevention of credit card fraud and protecting the credit card holders' personal information.

 Currently, businesses are required to conform to the payment card industry data security standards (PCI DSS) if they handle credit and debit card information.  The PCI DSS is a set of rules and standards that should protect cardholder information from theft. However, recent breaches have been shown to have occurred in companies who were certified to comply with the PCI DSS and have raised doubts on the reliability of these standards.

Companies who are found have experienced breaches in their security due to non-compliance to the PCI DSS face steep fines from the credit card companies as well and may have to shoulder the cost for the issue of replacement cards.

Representatives of the retail industry have accused the PCI standards as merely a means to put risk and responsibility off the banks and credit card companies and onto businesses. David Hogan, senior VP and CIO for the National Retail Federation, believes that the PCI’s expectation that every retail establishment should keep up with the constantly escalating hacking and security threats is very unrealistic.

It is also claimed that the standards were developed only from the point of view of banks and credit card companies and not the businesses expected to comply with them. One complaint is that the PCI DSS states that businesses dealing with credit card information should not store this information to prevent them from being stolen. However some businesses do store them as a safety precaution against disputes from the bank. If a business cannot present a copy of receipt as proof against the dispute, they will be forced to shoulder the expense associated.

 The directives also face problems regarding encryption. While the most businesses keep their records of customer transaction encrypted as required by the PCI, PCI cannot accept encrypted in their private networks. This was how hackers stole customer data from Heartland Payment Systems. The hackers installed software which monitored the flow of data and was able to get hold of unencrypted data being sent by the company. It has already been suggested that the credit card companies create unique transactions IDs for each transaction to remove the need to store credit card numbers, but credit card companies were reported to be reluctant in implementing this feature.

 However PCI Security Council Reports that the majority of the banks involved in breaches were not completely compliant to the PCI standards and that that was one of the reasons the breaches occur. The PCI also acknowledges that the fast-changing nature of security threats can easily undermine any security measure.