What Is PCI Compliance?

Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. PCI standards for compliance are developed and managed by the PCI Security Standards Council.

Key Takeaways

  • Companies that follow and achieve the Payment Card Industry Data Security Standards (PCI DSS) are considered to be PCI compliant.
  • The PCI Security Standards Council is responsible for developing the PCI DSS.
  • PCI DSS has six major objectives, 12 key requirements, 78 base requirements, and over 400 test procedures.

Understanding PCI Compliance

The Federal Trade Commission (FTC) has responsibility for the oversight of credit card processing as it falls under the need for consumer protections and oversight. While there is not necessarily a regulatory mandate for PCI compliance, it is regarded as mandatory through court precedent.

In general, PCI compliance is a core component of any credit card companies security protocol. It is generally mandated by credit card companies and discussed in credit card network agreements.

The PCI Standards Council is responsible for the development of the standards for PCI compliance. These standards apply for merchant processing and have also been expanded to outline requirements for encrypted internet transactions. Other key entities that are also associated with standard-setting in the credit card industry include The Card Association Network and the National Automated Clearing House (NACHA).

PCI Standards

PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood that cardholders would have sensitive financial account information stolen. If merchants do not handle credit card information according to PCI Standards, the card information could be hacked and used for a multitude of fraudulent actions. Additionally, sensitive information about the cardholder could be used in identity fraud.

Being PCI compliant means consistently adhering to a set of guidelines set forth by the PCI Standards Council. PCI compliance is governed by the PCI Standards Council, an organization formed in 2006 for the purpose of managing the security of credit cards. The requirements developed by the Council are known as the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS has six major objectives, 12 key requirements, 78 base requirements, and over 400 test procedures. The guidelines are are also considered security best practices. Its six major requirements include the following:

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

The most recent version of PCI DSS was released in May 2018 and is referred to as version 3.2.1. Overall, the six objectives and 12 requirements outline a series of steps that credit card processors must continually follow. Companies are first asked to assess their networks and systems which involves information technology infrastructure, business processes, and credit card handling procedures.

Constant maintenance and assessment of any gaps in security are also very important for avoiding the theft of sensitive cardholder information, such as social security and driver’s license numbers, whenever possible. Companies are required to provide compliance reports on a regular basis as part of their card processing agreements. Monitoring, assessments, and audits of Payment Card Industry Data Security Standards are all an important part of a company’s security department.

All companies that process credit card information are required to maintain PCI compliance as directed by their card processing agreements. PCI compliance is the industry standard and business without it can result in substantial fines for agreement violations and negligence. Without PCI compliance companies are also highly vulnerable to theft, fraud, and data breaches.

PCI Compliance and Data Breaches

PCI compliance helps avoid fraudulent activity and mitigate data breaches. Verizon provides an annual assessment of payment security in its “Verizon Payment Security Report.” The 2019 Report devotes an entire section to PCI DSS, called “The state of PCI DSS compliance, 2019: And 12 key requirements.” Some PCI DSS highlights from the “Verizon 2019 Payment Security Report” include the following:

  • 36.7% of organizations were actively maintaining PCI DSS programs in 2018
  • The Asia-Pacific region outperformed the Americas, Europe and Middle East and Africa regions
  • From an industry perspective, hospitality lags somewhat behind other sectors