Woman with hand on hip
Payment Card Industry Standards are the standards that guide how credit card companies and the merchants they do business with handle credit card data and process payments. Basically, any standard or best practice that is widely followed in the credit card industry can be called a payment card industry standard. However, the phrase is most often used in connection with the Payment Card Industry Universal Data Security Standard, also known as PCI DSS. PCI DSS is a document created by five major credit card companies that provides guidance on how to store credit card numbers and receipts, how to secure merchant computer networks, and how to handle payment processing outsourcing, among others stuff. Compliance with the payment card industry standards set forth in PCI DSS is technically voluntary, but noncompliance often has negative consequences for businesses and store owners.
Credit cards are often used to pay for everything from large, one-time purchases to everyday necessities like groceries and gas. When a customer swipes a credit card, a merchant-owned computer system reads the credit card information and transmits it through an Internet connection to the credit card company’s central computer for authentication. While this transaction usually takes only a few seconds, it involves a large amount of highly sensitive information. If this information is not properly protected, it can expose both cardholders and merchants to fraud. Key payment card industry standards are designed to prevent, or at least reduce, the likelihood of such fraud.
While some countries set uniform data security standards for financial transactions, not all do. Even existing laws generally regulate the financial industry broadly, a minimum standard that does not suit the needs of the credit card industry. There are simply no comprehensive regulations in the payment card industry. If widely adopted, payment card industry standards could fill this gap.
One of the main benefits of payment card industry standards is that they are created by and for the companies that most use and deal with credit cards. By their very definition, standards are voluntary and no law requires companies to adopt them. However, when enough companies begin to implement agreed payment card standards, the standards often become universally expected. Standards like PCI DSS aim to unify credit card security measures around the world.
PCI DSS was originally developed by a group known as the PCI Security Standards Council. This board is made up of representatives from five of the world’s largest credit card companies: American Express®, Discover®, JCB®, MasterCard® and Visa®. In addition to developing and updating standards, the council strives to improve overall credit card industry standards and industry regulations. The council educates the privacy and security industries on credit card data security to further this goal. It also offers training programs and sponsor conferences designed to help companies comply.
Each of the credit card companies that participate in the PCI Security Standards Council requires providers that accept their cards to comply with the council’s payment card industry standards. This means that providers must adopt and monitor how their systems implement the payment card industry specifications set out in the standards if they want to continue accepting credit cards as a form of payment. Credit card companies often audit large companies for compliance annually. Small businesses are generally allowed to report their compliance. If a merchant is found to be in violation of the rules, penalties can range from fines to full revocation of payment card service, depending on the severity of the violation.
