PCI is the acronym for the compliance standard most applicable to businesses that accept credit card payments whether online or brick and mortar. PCI stands for Payment Card Industry Data Security Standard (PCI DSS) and is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to by representatives of several major credit card companies. Their goal was to protect their card users (and themselves) from fraud and losses that would result from misuse. The standard applies to all organizations that hold, process, or exchange cardholder information from any card authorized by one of the participating card companies.
The PCI Security Standards Council is now the issuer of the compliance standard. The council was launched in 2006 and is responsible for the content of the several components. The Council’s five founding global payment brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. — have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.
Components of the Standard
The PCI DSS standard is comprised of several requirements – questions like does a policy exist for the creation of user accounts, does a firewall protect internal IT systems from external networks, is sensitive data encrypted when transmitted over unsecure networks? But also includes security program management requirements. These security program requirements include self-assessments, external third party assessments, quarterly vulnerability scans, etc.
The PCI standard takes into account the various roles of organizations in the credit card transaction. At one end is the Card Holder. This is an individual or organization that was issued a credit card with the logo of one of the participating companies. When the card holder uses the card in a transaction a Merchant accepts the card for payment. In most cases the merchant relies on a Service Provider to process and authorize the transaction. The service provider has access to the credit card company’s systems for the actual approval.
PCI also makes a distinction between “merchants” of different sizes. Those who do extremely high volumes of credit card transactions have more stringent requirements. Those who do relatively little credit card business can sometimes satisfy PCI with just a self-assessment attestation. Similarly, there are different levels of service providers and like merchants, those with higher levels of transactions have more stringent requirements.
The stringent requirements for larger merchants and service providers include periodic vulnerability scans and third-party assessments. For these organizations the PCI council has developed the Qualified Security Assessor role. This is a company that has been approved by the PCI council to conduct such assessments. Only a QSA can complete the required assessment. They are trained and have passed an examination to earn the QSA title.
While we have looked only at the PCI DSS the council also has set a standard for payment applications (PA DSS) and for the Pin Transaction Security (PCI PTS). These standards are similar in approach and detail to the PCI DSS but are focused on specific aspects of the payment card industry.