What Is PCI Compliance?

PCI Compliance Explained

Customer using a credit card reader at a cafe
•••

Artem Varnitsin / EyeEm / Getty Images

Payment card industry (PCI) compliance is based on a set of 12 technical and operational standards developed by the PCI Security Standards Council (SSC), an independent body formed in 2006 by American Express, Discover, JCB International, Mastercard, and Visa. These standards apply to any business that accepts, transmits, or stores credit card data. They were created to ensure a secure environment that protects customer and business information against issues such as data breaches.

To better understand PCI compliance, it’s important to know what it entails, the requirements, and how it all works.

PCI Compliance Definition and Requirements

PCI compliance is adherence to a set of standards for credit card security and protection set by the PCI SSC. These standards were created to ensure a secure environment for any business that processes cardholder data.

While the PCI SSC developed the standards, the payment brands and merchants are responsible for enforcing compliance.

Each credit card brand may have its own specific PCI requirements that businesses need to follow. Business owners should check with each payment brand to ensure they meet all the necessary requirements.

  • Alternate name: Payment Card Industry Data Security Standard
  • Acronym: PCI, PCI DSS

PCI Compliance Standards

There are 12 standards created by the PCI DSS that cover both technical and operational system components:

  • Maintain a firewall to protect cardholder data
  • Use high-level security passwords instead of default system passwords
  • Protect stored cardholder data through proper security protocols
  • Encrypt the transmission of cardholder data
  • Protect all systems against malware and regularly update anti-virus programs
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder information
  • Identify and authenticate access to all system components
  • Restrict physical access to cardholder information
  • Track and monitor all access to network and cardholder data
  • Frequently test security systems and processes
  • Maintain an information security policy for all personnel

To protect sensitive cardholder information, it’s the responsibility of every business that processes, transmits, and stores customer card data to ensure PCI standards are met. These standards can help merchants guard against hackers and information thieves.

Not meeting these requirements can leave a business more vulnerable to financial damage and could result in costly non-compliance fees assessed by credit card brands.

How Does PCI Compliance Work?

Each card issuer has its own PCI compliance guidelines, so it’s a good idea for business owners to check with each issuer to ensure they meet the proper qualifications. To be considered PCI compliant, businesses need to go through a three-step process that includes scoping, assessing, and reporting.

Scoping

In scoping, business owners need to identify all systems that if compromised could impact cardholder data. Scoping is generally an annual process that involves evaluating all systems and ways cardholder data interacts with a business. This process will help determine the type of assessment needed as well as the magnitude and cost.

Assessing

The assessment portion of PCI compliance consists of either a self-assessment questionnaire or an on-site audit conducted by a qualified security assessor. Which assessment a business will need is determined by the credit card company’s merchant levels. For example, businesses that process under an issuer’s specified number of card transactions each year may only need a self-assessment questionnaire.

Business owners can determine their merchant level through each credit card company’s designated website, such as these for VisaMastercard, and American Express.

Reporting

Once business owners complete the self-assessment, they’ll need to report it to the credit card company. Businesses that qualify for an in-person assessment must submit a Report on Compliance to the payment card issuer directly. PCI compliance assessments are only required annually, but business owners may need quarterly vulnerability scans conducted by an approved scanning vendor. Whichever assessment is done, reporting the audit results to the payment card issuers is the final step for PCI compliance.

Key Takeaways

  • PCI compliance is the credit card industry set of standards that businesses accepting, transmitting, and storing cardholder data must follow.
  • There are 12 technical and operational standards businesses need to adhere to in order to meet PCI compliance.
  • There is a three-step process to become PCI compliant: scoping, assessing, and reporting.
  • The assessment process either involves taking a self-assessment questionnaire or getting an on-site audit.