What is the Payment Card Industry Data Security Standard?

The Payment Card Industry (PCI) Data Security Standard (DSS) is the industry-mandated standard for protecting credit card account data that is stored, transmitted or processed electronically. The PCI Security Standards Council, the organization that owns, develops, maintains and distributes the PCI Data Security Standard (DSS), was jointly founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

Who has to comply with the PCI DSS?

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory for any entity that stores, processes, or transmits cardholder data. For more detail, visit the Visa USA compliance website.

Does PCI replace the security programs of Visa, MasterCard, and the other credit card companies?

No. The PCI DSS is an industry-wide standard that has been adopted by Visa, MasterCard, and the other major credit card companies. However, each of the companies still has its own security program, which may include additional requirements and distinct processes for compliance and registration. This is probably one of the most confusing aspects of PCI. While complying with PCI is challenging enough, it is still necessary to work with each of the credit card companies individually to abide by their specific rules. Below are links to more information about the security programs of some of the major credit card companies:

• Visa Cardholder Information Security Program (CISP)
• MasterCard Site Data Protection (SDP) Program
• Discover Information Security and Compliance (DISC) Program
• American Express Data Security Requirements

Who enforces compliance with the PCI DSS?

Each of the credit card companies has its own enforcement programs. Furthermore, each company has its own registration process and reporting requirements. See the previous question for links to each company?s security program.

Why should my organization comply with PCI?

If you are a merchant with a merchant account for accepting credit cards, then it is very likely that your merchant agreement has a provision that requires you to comply with PCI. In fact, Visa has revised its agreement to explicitly state that the merchant has primary responsibility for complying with PCI requirements (see article in June 2006 edition of The Green Sheet). The agreement may also specify penalties for non-compliance. More significantly, given the media attention that is focused on information security issues, you should take all commercially reasonable measures to protect your customers? data from being compromised.

What are the liabilities for failure to comply with the PCI DSS?

Just as each of the credit card companies has its own enforcement programs, they also each have their own rules and penalties for failure to comply (see links above for more details). In general, a non-compliant entity may face restrictions on its ability to process transactions or to receive funds from transactions. In the event of a data compromise, the credit card companies have a demonstrated record of assessing substantial fines and terminating processing privileges. Keep in mind that a data breach may also lead to lawsuits and damages associated with the theft of personal information. Furthermore, there are a myriad of data breach disclosure laws passed by numerous states that mandate prompt notification of consumers whose data may have been compromised.