What is the Payment Card Industry Data Security Standard?

January 06, 2023 | 4 minutes read

While many consumers and business owners alike will have heard mention of PCI-DSS compliance, many may be wondering exactly what the term actually means. Due to the unregulated nature of the internet, online users that are using their credit and debit cards to make purchases must be able to ensure that their financial information will remain secure and protected during all stages of the transaction. This being the case, the Payment Card Industry Data Security Standard (PCI-DSS) was established in 2006 by the major 5 credit card companies, including Visa, Mastercard, Discover, JCB, and Express. The PCI DSS currently serves as the primary IT standard that governs cardholder data around the world and gives consumers the assurance that their financial information will safeguard when they use their credit card or debit card to make purchases.

To this point, the PCI compliance website states that “the Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006, to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.”

Who does the PCI-DSS apply to?

The PCI-DSS applies to any form of business or organization that serves customers around the globe, irrespective of the size or scope of a particular business or organization. Nevertheless, PCI compliance is enforced in accordance with four different merchant levels, that correspond to the volume of transactions that a company conducts within a 12-moth period. For instance, level 1 of the PCI-DSS, the highest level, applies to any merchant that handles more than 6 million card transactions within a given year. Likewise, credit cards, debit cards, and prepaid card transactions that are processed all contribute to this volume. With all this being said, the PCI-SSS mandates that any company that processes or retains credit card data, be it online or via phone, abide by 12 specific requirements.

PCI-DSS compliance requirements

The 12 requirements that businesses and organizations must adhere to when handling the cardholder data of consumers include:

Businesses must install and maintain a firewall configuration that can be used to protect cardholder data.
Businesses are prohibited from using vendor-supplied defaults for their various security parameters, including system passwords, among other things.
Businesses have a responsibility to protect all cardholder data that they have stored.
Businesses are required to encrypt any cardholder data they transmit or disclose over public and open networks.
Businesses are responsible for regularly updating their anti-virus software programs, as well as any other relevant applications.
Businesses are required to implement and maintain secure systems and applications that will serve to protect cardholder data.
Businesses must limit the access to the cardholder data that they retain in conjunction with employees that need to know such information in order to perform their respective job functions.
Businesses must assign a unique ID to each person within their organization that has computer access.
Businesses are responsible for restricting physical access to cardholder data.
Businesses are required to both track and monitor any access to network resources that are used to store cardholder data.
Businesses are responsible for regularly testing their security processes and systems.
Businesses are required to create, implement and maintain an IT security policy that employees, third parties, and contractors alike can follow in an effort to protect cardholder data.

What are the penalties for violating PCI-DSS compliance?

In contrast to many other standards that are prominent within U.S. sectors of industry such as healthcare and the legal industry, PCI-DSS is not a law that has been enacted by the federal government. To this point, businesses that violate the PCI-DSS will not be subject to criminal penalties or sanctions. However, the five major credit card brands do reserve the right to impose a monetary fine ranging from $5,000 to $100,000 against acquiring banks for each month that a business is found to be in violation of the PCI-DSS. In practice, banks will typically pass these fines along until they ultimately reach the appropriate merchant. On top of this, the major credit card companies can also terminate their relationships with a business or merchant, as well as increase the fines that these entities must pay when conducting transactions.

The Payment Card Industry Data Security Standard is unique in that the regulation is upheld by private companies on an international scale as opposed to government regulatory authority that is located within a particular region or jurisdiction in the world. To this end, businesses that fail to comply with the numerous standards that were created by the 5 major credit card companies worldwide are greatly placing themselves at risk, as the companies in question have the right to impose penalties against merchants at their sole discretion. Despite all of this, protecting the cardholder data of the world’s billions of citizens must remain a top priority at all times, as our current economy would completely falter without such transactions.