What is PCI Compliance

Payment card industry (PCI) compliance refers to the technical and operational standards that businesses must follow to ensure that credit card data provided by cardholders is protected. PCI compliance is enforced by the PCI Standards Council, and all businesses that store, process or transmit credit card data electronically are required to follow the compliance guidelines.

BREAKING DOWN PCI Compliance

Payment card industry (PCI) compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood that cardholders would have sensitive financial data stolen. If merchants do not handle credit card information properly, the card information could be hacked and used to make fraudulent purchases. Additionally, sensitive information about the cardholder could be used in identity fraud.

Being PCI compliant means consistently adhering to a set of guidelines set forth by companies that issue credit cards. The guidelines outline a series of steps that credit card processors must continually follow. Companies are first asked to assess their information technology infrastructure, business processes and credit card handling procedures to help identify potential threats that may compromise credit card data. Companies are then asked to address any gaps in security, and to avoid storing sensitive cardholder information, such as social security and driver’s-license numbers, whenever possible. Companies are required to provide compliance reports to the card brands that they work with, such as American Express and VISA.

All companies that process credit card information are required to maintain PCI compliance, regardless of their size or the number of credit card transactions they process. All companies are broken into merchant levels based upon the number of transactions that are processed during a specified period. PCI compliance is governed by the Payment Card Industry Security Standards Council, an organization formed in 2006 for the purpose of managing the security of credit cards. The requirements, known as the Payment Card Industry Data Security Standards (PCI DSS), are managed by the major credit card companies, including VISA, American Express, Discover and MasterCard, among others.

PCI Compliance and Data Breaches

Many of history’s largest data breaches may have been avoided if the affected merchants or financial institutions been PCI-compliant. Here are some key takeaways from the Verizon 2017 Payment Security Report, an in-depth study of PCI DSS compliance:

  • Retail organizations demonstrated the lowest PCI compliance sustainability across all key industries.
  • The IT services industry achieved the highest full compliance of all key industry groups studied.
  • 77 percent of companies assessed after a data breach was not in compliance with the number one PCI requirement: install and maintain a firewall configuration.
  • The study shows a "demonstrable” correlation between businesses that are up-to-date on the PCI standards and businesses that have successfully defended themselves against cyber threats.
  • The number of businesses that are 100 percent PCI-compliant is growing considerably on a year-over-year basis.