As an industry-based (as opposed to federal regulatory) approach to information security concerns, the Payment Card Industry (PCI) Security Standards Council was founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. This council is comprised of PCI representatives that have developed various PCI security standards and have taken on management, education, and awareness surrounding the standards, which include the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) Requirements. PCI Information Data Security Standard (PCI DSS) has been adopted by a consortium of the major credit card companies operating in the US. According to the council’s website at http://www.pcisecuritystandards.org, PCI DSS is intended “to help facilitate the broad adoption of consistent security measures on a global basis.” PCI DSS is a mandatory industry standard for organizations that collect, process or store credit card information and/or cardholder data.
The PCI DSS focuses on twelve requirements that are intended to represent data security best practices. These key principles include: maintaining firewalls around networks to secure consumer data, avoiding vendor-supplied default password systems and implementing customized password and encryption systems, encrypting cardholder data transmissions, implementing and updating anti-virus software, restricting access to cardholder data, monitoring access to network cardholder data, and implementing regular network security testing features. The PCI DSS Requirements and Security Assessment Procedures discuss these requirements in detail.
If an organization is using wireless technology to store, process or transmit cardholder data, PCI DSS requirements and testing procedures specifically aimed at wireless environments apply. In general. the PCI DSS requirements apply to every situation in which a cardholder’s Primary Account Number (PAN) is stored, processed or transmitted by a merchant or service provider. There are also specific requirements for service providers or merchants who outsource the storage, processing or transmission of cardholder data to third party providers.
The PCI DSS sets forth specific requirements based on annual transaction volume, although each payment card brand has unique requirements and definitions relating to PCI compliance levels. Actual compliance is governed by the individual payment card brands as opposed to the PCI Security Standards Council.
Failure to comply with the standards and implement appropriate security controls may result in fines and/or penalties assessed on the merchant or service provider. If there is a credit card data breach, the card association may levy a fine on the acquirer (as much as $500,000 and $25 per compromised card). The acquirer has the option of passing the fine down to the merchant or service provider. There also may be additional State-based concerns, depending on an individual state’s data breach notification laws.
*The usual disclaimer: the PCI DSS involves much more detail than this brief overview provides, and this post does not set forth legal advice or opinion to any extent. Please contact an attorney familiar with privacy and data security requirements for an analysis of your specific compliance issues.