What is PCI? How Payment Card Industry Data Security Standard Works

Sydney VaccaroIndustry TermsLeave a Comment

What is PCI? How Payment Card Industry Data Security Standard Works

Any company that processes or interacts with credit cards needs to be fully aware of the PCI standards. It is vital that merchants adhere to the PCI guidelines to protect themselves and their customer’s data.

What is the PCI Security Council?

The PCI Security Council is a global organization with the goal to promote and help maintain security for cardholder information. The council creates, supports, and promotes the Payment Card Industry Security Standards. This is done through the creation of assessment and scanning qualifications, self-assessment questionnaires, education, and training.

The council was founded by Visa, American Express, MasterCard, Discover, and JCB. These founders make up the executive committee that runs the security council.

What are the PCI Standards?

The goal of the standards is to make sure merchants are correctly protecting cardholders data by setting up operational and technical requirements. “The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.” The following is PCI Data Security’s goals and requirements:


PCI DSS Requirements 

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security for employees and contractors

The PCI Security Council also suggests taking these ten steps to better security:

  • Buy and use only approved PIN entry devices at your point-of-sale.
  • Buy and use only validated payment software at your POS or website shopping cart.
  • Do not store any sensitive cardholder data in computers or on paper.
  • Use a firewall on your network and PCs.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
  • Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data.
  • Follow the PCI Data Security Standards

The Four Levels of PCI

There are four levels which merchants are placed for PCI standards. The levels are based on the volume of Visa transactions that the merchant receives in a year. The more transactions that are processed over the year means the merchant needs to take more considerable efforts to keep their customer’s data safe.

PCI Compliance Level One Merchant

  • Any merchant who processes over 6 million Visa transactions
  • Or, any merchant who Visa determines should meet level one merchant requirements

PCI Compliance Level Two Merchant

  • Any merchant who processes 1 million to 6 million Visa transactions

PCI Compliance Level Three Merchant

  • Any merchant who processes 20,000 to 1 million Visa ecommerce transactions

PCI Compliance Level Four Merchant

  • Any merchant processing fewer than 20,000 Visa ecommerce transactions
  • All other merchants processing up to 1 million Visa transactions

Keeping Data Safe

As the security council explains, “The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected -- there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.” So, merchants or any organization that handles cardholder information should always be improving their security to protect your customers, your reputation, and your bottom line.