Definition: The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures developed by the Payment Card Industry to improve the security of credit, debit, and cash card transactions and protect cardholders from identity theft.
Payment Card Industry Data Security Standard explained
The PCI DSS was created in 2004 by Visa, MasterCard, Discover, and American Express, four major credit card companies and is administered by the Payment Card Security Standards Council.
The PCI Data Security Standard outlines twelve compliance requirements that are grouped into six logically related groups known as "control objectives." The six groups are as follows:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Any organization that stores, processes or transmits credit card information must secure payment card data in accordance with PCI standards. This means that any merchant or service provider that handles cardholder data must comply:
- Merchants accept debit or credit card payments for goods or services. Note that the PCI DSS applies to merchants even if they have subcontracted their payment card processing to a third party.
- Service providers are directly involved in processing, storing or transmitting cardholder data on behalf of another entity.
Some organizations can act as both merchants and service providers. For example, an organization that provides data processing services for other merchants will also be a merchant if it accepts card payments.
Becoming PCI DSS compliant depends on the complexity of an organization's payments environment and the data security measures already in place. Each organization needs to be assessed on an individual basis.
Payment security is essential for every organization that handles card data.