Do you need a better understanding of the Payment Card Industry Data Security Standard (PCI DSS)? One option is to wade through the PCI Security Standards Council's 139-page report outlining the standard. Before you dive in, we can provide a general overview of what is involved in this important set of requirements for businesses.
This quick guide includes all the essential compliance information so you can move forward in ensuring the security of both your customers’ and organization's data.
The Payment Card Industry Security Standards Council (PCI SSC) is comprised of representatives from Visa, MasterCard, Discover, American Express, and JCB.
Years ago, these organizations decided to work together to create and develop standards that would be used to determine whether businesses were taking sufficient steps to protect consumers' information. What is necessary to meet the expectations of the PCI Council is described within the language of the PCI DSS. Following its rules is called PCI-DSS compliance or, more commonly, PCI compliance, a term that also applies to two additional standards (more on that later).
The role of the PCI Security Standards Council is limited to creating the standards. In the same manner that the US Congress passed HIPAA but the HHS (via the Office for Civil Rights) enforces it, the PCI Council solely develops the standards, while the individual acquiring banks and payment card brands enforce it.
This form of oversight from the private sector, similar to the enforcement of the Health Insurance Portability and Accountability Act (HIPAA) within the public sector, involves consequences for any businesses that ignore it or otherwise fail to comply. In fact, if your systems are infiltrated by cybercriminals you can be fined even if you are PCI-compliant.
For noncompliance, the standard fine schedule can range from $5,000 to $100,000, at the discretion of the payment card firm or bank. These figures are per month and relate purely to noncompliance, not taking into account the possibility of a breach (which could mean additional fees).
Despite PCI DSS being the poster child for compliance, there are actually three standards governed by the council:
Here are two ways that PCI compliance can benefit your organization:
Compliance with the PCI standards is a cyclical process that rotates through three steps:
PCI compliance is critical for avoiding fines, improving credibility, and strengthening your customer relationships. By following the cycle established by the PCI Council, you can more effectively protect your data against compromises.
What questions do you have about PCI compliance? We’d love to be a resource for your current or future needs.