The payment industry relies heavily on trust. While there has always been potential for fraud, the rapid adoption of the internet during the 1990s brought a monumental level of fraud with it. Visa first attempted to remedy the situation alone, establishing its own security standard, the Cardholder Information Security Program (CISP). However, this initiative met with limited success. As the potential for fraud continued to grow, other payment agencies, such as MasterCard, American Express, and Discover, implemented their own programs—and all failed.
In 2006, a group of credit payment agencies created a council known as the Payment Card Industry Security Standards Council (PCI SSC). This council created a guiding set of payment standards establishing the minimum requirements that must be satisfied for any merchant to store, process, or transmit cardholder data. (Cardholder data consists of the payment account number [PAN] at a minimum but can also include the cardholder name, expiration date, and service code.) These standards became known as the Payment Card Industry Data Security Standard (PCI DSS). The Payment Card Industry Data Security Standard helps companies determine their potential exposure to financial loss when dealing with credit card processing companies.
The PCI SSC isn’t a governmental regulative body. However, it may take punitive actions if a company fails to comply with its standards. The primary consequence of compliance failure is a monetary fine. Penalty fees for noncompliance can include legal fees, banking fines (for every card stolen), cost of federal audits, and cost of cleanup (including investigation by forensics experts).
While the financial cost of not complying with the standard ($500,000 and up) may seem like a strong deterrent, the lack of trust from major banking institutions, third-party partners, and customers represents a longer-term concern.
Another important thing to remember is that using a payment processing firm that is PCI DSS compliant, such as PayPal, does not excuse you from the PCI requirements (although it does limit the scope of compliance). If you handle cardholder data (or integrate with a payment processing firm to do so), you are required to comply.