The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover and JCB. The standard was developed by the Payment Card Industry Security Standards Council (PCI SSC). It was devised as a reaction to the increased number and severity of data security breaches experienced by financial institutions in 2005 and 2006. The standard was created to enhance cardholder data security, decrease fraud and increase compliance within the payment card industry.
The credit card schemes ask their merchants to be PCI compliant in order for them to be able to accept credit cards. The majority of retailers are not compliant. Almost every retailer has the same question “what does PCI compliance mean?” The retailers’ card processing company reports to the merchant whether they are compliant or not. Failure to be PCI complaint may prohibit the merchant from accepting credit cards by major credit card providers (Visa, Mastercard, etc).
Why is it called PCI Compliance?
The PCI DSS is a standard and the merchant must comply with it. Compliance means that you meet all criteria of PCI security compliance, which includes strong encryption, limited use of data storage, etc. It’s called PCI compliance to emphasize that the merchants, processors and other companies involved in credit card processing must comply with the rules set by the PCI Security Council.
Who is involved in PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover and JCB. The standard was developed by the Payment Card Industry Security Standards Council (PCI SSC). The council members include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Each company appoints a representative to the PCI Security Council.
How does it work?
The primary goal of PCI DSS is to help organizations proactively protect customer account data. The Council came up with a list of 12 requirements to achieve that goal. These requirements are separated into 3 major areas: Build and Maintain a Secure Network, Protect Cardholder Data and Monitor and Maintain a Secure Network. You can read about them in more detail on the PCI Security Council site.
It’s important to note that compliance is mandatory for each level of the supply chain. In other words, if you are a merchant or service provider, your business must be compliant as well as your partners and those you do business with on the same level in the supply chain. PCI DSS does not apply to consumers directly but they can also help protect themselves by carefully checking their online statements and avoiding giving any information to people they don’t know.
PCI DSS compliance measures:
The PCI council created a list of requirements that must be met in order for businesses to achieve compliance and ensure the safety and security of their customer’s data. The 12 Requirements of PCI DSS focus on technical and operational controls that help reduce the vulnerability of credit card processing environments.