Payment card industry (PCI) compliance, also known as PCI compliance, refers to the standards with which businesses must comply to ensure protection of cardholder credit card data. PCI compliance is enforced by an organization known as the Payment Card Industry Security Standards Council (PCISSC). The standards consist of a number of requirements, as well as directives, against which businesses may evaluate their own payment card security policies and procedures.
Who Must Comply With the PCI Standards?
All businesses that store, process, or transmit credit card data electronically must follow the PCI compliance guidelines. The PCI requirements apply to all businesses, regardless of the number or size of credit card transactions they process.
What is Required for PCI Compliance?
Payment card industry compliance standards impose security requirements on merchants and other businesses, similar to how the HIPAA Security Rule imposes obligations upon covered entities and business associates to keep electronic protected health information secure.
The standards require merchants and other businesses to handle credit card information in a secure manner that reduces the likelihood that cardholders would have sensitive financial data stolen. Failure to properly secure credit card information can result in hackers using the information to commit identity theft.
Sensitive financial data can also be used to commit identity fraud. According to the non-profit Identity Theft Report Center (ITRC), data breaches in 2018 totaled 1,244, with 446,575,334 records exposed. While the number of breaches fell from 1,632 in 2017, the amount of records exposed tripled. The breaches exposed credit card details of more than 64.4 million cards.
PCI compliance consists of adhering to a set of guidelines that are set forth by companies that issue credit cards. These companies include (among others) American Express, Discover, MasterCard, and VISA.
The guidelines outline a series of steps that credit card processors must continually follow.
- Step 1: Businesses are asked to assess their IT structure, business processes, and credit card handling procedures, to help identify potential threats that may compromise credit card data.
- Step 2: Businesses are asked to address security gaps. This can be accomplished by measures including installation and maintenance of a firewall, for example.
- Step 3: Businesses are advised to avoid storing sensitive cardholder information, such as driver’s license and Social Security numbers.
To ensure businesses are fulfilling these PCI compliance guidelines, businesses are required to provide compliance reports to the card issuers with whom they work.