:max_bytes(150000):strip_icc()/pci-compliance.asp-final-4a8d0539531843f5928b3ca4253b954c.png)
Julia Kagan is a financial/consumer journalist and former senior editor, personal finance, of Investopedia.
Updated July 16, 2023 Reviewed by Reviewed by Thomas J. CatalanoThomas J Catalano is a CFP and Registered Investment Adviser with the state of South Carolina, where he launched his own financial advisory firm in 2018. Thomas' experience gives him expertise in a variety of areas including investments, retirement, insurance, and financial planning.
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions.
PCI standards for compliance are developed and managed by the PCI Security Standards Council.
The Federal Trade Commission (FTC) has responsibility for the oversight of credit card processing as it falls under the need for consumer protections and oversight. While there is not necessarily a regulatory mandate for PCI compliance, it is regarded as mandatory through court precedent.
In general, PCI compliance is a core component of any credit card company's security protocol. It is generally mandated by credit card companies and discussed in credit card network agreements.
The PCI Standards Council is responsible for the development of the standards for PCI compliance. These standards apply to merchant processing and have also been expanded to outline requirements for encrypted Internet transactions. Other key entities that are also associated with standard-setting in the credit card industry include The Card Association Network and the National Automated Clearing House (NACHA).
PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood that cardholders would have sensitive financial account information stolen. If merchants do not handle credit card information according to PCI Standards, the card information could be hacked and used for a multitude of fraudulent actions. Additionally, sensitive information about the cardholder could be used in identity fraud.
Being PCI compliant means consistently adhering to a set of guidelines set forth by the PCI Standards Council. PCI compliance is governed by the PCI Standards Council, an organization formed in 2006 for the purpose of managing the security of credit cards.
The requirements developed by the Council are known as the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS has 12 key requirements, 78 base requirements, and over 400 test procedures.
In order to conform with PCI guidelines, several steps should be undertaken that are considered security best practices. The 12 major steps include the following:
The most recent version of PCI DSS was released in March 2022 and is referred to as version 4.0. Overall, the six objectives and 12 requirements outline a series of steps that credit card processors must continually follow. Companies are first asked to assess their networks and systems, which involve information technology infrastructure, business processes, and credit card handling procedures.
Constant maintenance and assessment of any gaps in security are also very important for avoiding the theft of sensitive cardholder information, such as social security and driver’s license numbers, whenever possible.
Companies are required to provide compliance reports on a regular basis as part of their card processing agreements. Monitoring, assessments, and audits of Payment Card Industry Data Security Standards are all an important part of a company’s security department.
All companies that process credit card information are required to maintain PCI compliance as directed by their card processing agreements. PCI compliance is the industry standard and business without it can result in substantial fines for agreement violations and negligence. Without PCI compliance, companies are also highly vulnerable to theft, fraud, and data breaches.
The percentage of cybersecurity breaches that are caused by human error.
The benefits of compliance include the reduced risk of data breaches, safeguarding cardholder data, and thus avoiding chances for identity theft. It is good practice for companies to be compliant as it reduces any fines related to data breaches, helps a company's brand reputation, and keeps customers happy and confident that they are doing business with a responsible company, leading to brand loyalty.
In the first half of 2020, there were 36 billion records exposed through data breaches. Eighty-six percent of breaches were financially motivated and with the global information security market expected to reach $170 billion in 2020, the financial risk is even higher. Protecting cardholder data is not only good for business but is also the right thing to do, ensuring that people are not negatively harmed or suffer any financial loss.
PCI compliance is mandatory if you or your business deals with credit card transaction information. In addition to increased risk of experiencing a data breach, you can also be subject to fines, penalties, and losing the ability to process credit card data going forward. Banks and payments companies may also choose not to do business with you unless you are PCI compliant. This can result in lost sales and a tarnished brand image.
Non-compliance fines begin at $5,000, but can cost up $500,000 per PCI data security incident or breach. In addition, it is required that all individuals whose information is believed to have been compromised must be notified in writing to be on alert for fraudulent charges.
PCI compliance helps avoid fraudulent activity and mitigates data breaches. Verizon provides an annual assessment of payment security in its “Verizon Payment Security Report.” The 2019 Report devotes an entire section to PCI DSS, called “The state of PCI DSS compliance, 2019: And 12 key requirements.” Some PCI DSS highlights from the “Verizon 2019 Payment Security Report” include the following:
PCI compliant means that any company or organization that accepts, transmits, or stores the private data of cardholders is compliant with the various security measures outlined by the PCI Security Standard Council to ensure that the data is kept safe and private.
There is not a regulatory mandate that requires PCI compliance, but it is nevertheless regarded as mandatory through court precedent.
To become PCI compliant, you must first determine which self-assessment questionnaire you need to follow to become compliant. Once you finish the questionnaire, then you need to complete and hold evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor. Scanning applies to only some merchants. You will then need to complete the Attestation of compliance. The last step will be to submit all of the above information.
Any company or organization that accepts, transmits, or stores the private data of cardholders.
PCI compliance refers to the technical and operational standards set out by the PCI Security Standards Council that organizations need to implement and maintain. The goal of being PCI compliant is to protect cardholder data and applies to any organization that accepts, transmits, or stores that data. Being PCI compliant is a good business practice in that it puts the safety of consumer data first and also benefits an organization through a positive brand reputation.
