logo
logo
AI Products 

What is PCI Compliance?

avatar
michael bedwell
What is PCI Compliance?

PCI compliance refers to the policies and procedures required by the Payment Card Industry Security Standards Council (commonly called PCI SSC), which operates under the authority of major credit card brands including Visa, MasterCard, American Express, Discover Financial Services and JCB. Per these standards, merchants are expected to implement security measures that protect cardholder data and prevent breaches.


PCI compliance applies to any business that processes, stores or transmits credit card data, which includes not only merchants but also third-party service providers (such as payment processors and cloud storage providers) that work with them. Non compliance can result in hefty fines, so it's important for businesses of all sizes to understand the PCI standards and how they apply to them.


What is Payment Card Industry Data Security Standard (PCI DSS)?

The PCI DSS, which all organizations are required to follow, defines a common set of security standards for processing, storing or transmitting credit card data. These include the following:


The Council identifies specific compliance requirements for each of the six control objectives, which are summarized below.

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update antivirus software or programs

6. Develop and maintain secure systems and applications


According to the PCI DSS, all merchants must also have a formal, documented information security policy that's approved by an organization's top management. This policy should include physical security measures such as locks on doors and windows, video surveillance of the computer room and regular inspection of physical access logs.


The PCI DSS also requires merchants to "regularly test security systems and processes," including employee training on policies regarding physical security, information security and data destruction. In addition, all employees that have administrative privileges must be trained to use these privileges only when necessary and to adhere to the organization's security policy.


What are the consequences of not being PCI compliant?

Businesses that don't comply with PCI standards can face significant penalties, including fines, suspension of services and termination of agreements. Noncompliance can also damage a company's reputation and result in lost customers.

For example, in 2011, the PCI SSC fined merchant provider Global Payments $5 million for not doing enough to protect cardholder data. The breach resulted in more than 1.5 million credit and debit cards being compromised after malware was introduced into one of Global Payment's systems via an infected email message.


What is the difference between PCI DSS and PCI PA-DSS?

The Payment Card Industry Data Security Standard was introduced in 2006 as a security standard for organizations that process, store or transmit credit card information. In 2012, the PCI SSC introduced another standard known as the PCI Payment Application Data Security Standard (PA-DSS). This standard applies to organizations that develop applications used to process credit card payments.


The PCI DSS is a comprehensive standard that applies to all organizations that process, store or transmit credit card data. The PCI PA-DSS is specific to payment applications and covers areas such as design, development, testing and deployment.

Merchants that use payment applications that are compliant with the PCI PA-DSS standard do not need to be PCI compliant themselves, because the PCI DSS compliance burden rests with the payment application vendor.

collect
0
avatar
michael bedwell
guide
Zupyak is the world’s largest content marketing community, with over 400 000 members and 3 million articles. Explore and get your content discovered.
Read more