The payment industry relies heavily on trust. While there has always been potential for fraud, the rapid adoption of the internet during the 1990s brought a monumental level of fraud with it. Visa first attempted to remedy the situation alone, establishing its own security standard, the Cardholder Information Security Program (CISP). However, this initiative met with limited success. As the potential for fraud continued to grow, other payment agencies, such as MasterCard, American Express, and Discover, implemented their own programs—and all failed.
In 2006, a group of credit payment agencies created a council known as the Payment Card Industry Security Standards Council (PCI SSC). This council created a guiding set of payment standards establishing the minimum requirements that must be satisfied for any merchant to store, process, or transmit cardholder data. (Cardholder data consists of the payment account number [PAN] at a minimum but can also include the cardholder name, expiration date, and service code.) These standards became known as the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS helps companies determine their potential exposure to financial loss when dealing with credit card processing companies.
PCI DSS isn’t a certification. Rather, it’s a checklist of processes and practices that must become part of the framework of any company that handles cardholder data. Compliance with PCI DSS is a continuous process that involves three steps:
The standard contains controls designed to protect credit card data that should be practiced daily in all payment operations. PCI DSS compliance may differ in the details based on the activities performed by each company. However, to remain PCI compliant, all businesses must comply with five core principles:
There are four levels of PCI compliance, organized by number of transactions per year. Any company that handles cardholder data fits into one of those levels. A company’s level depends on how the company handles credit card data and the amount of data it processes annually. The PCI SSC provides a self-assessment questionnaire to help companies determine which levels they fit into.
The PCI SSC isn’t a governmental regulative body. However, it may take punitive actions if a company fails to comply with its standards. The primary consequence of compliance failure is a monetary fine. Penalty fees for noncompliance can include legal fees, banking fines (for every card stolen), cost of federal audits, and cost of cleanup (including investigation by forensics experts).
While the financial cost of not complying with the standard ($500,000 and up) may seem like a strong deterrent, the lack of trust from major banking institutions, third-party partners, and customers represents a longer-term concern.
Another important thing to remember is that using a payment processing firm that is PCI DSS compliant, such as PayPal, does not excuse you from the PCI requirements (although it does limit the scope of compliance). If you handle cardholder data (or integrate with a payment processing firm to do so), you are required to comply.