PCI DSS (Payment Card Industry Data Security Standard) is a set of standards designed to ensure that credit card information remains safe and is captured and transmitted in a secure way.

In other words, it is a set of rules to reduce the risk of fraudsters, hackers, and thieves from stealing sensitive credit card information. PCI Compliance is mandated by the major card brands (Visa, Mastercard, American Express etc.) and the rules apply to all payment processors, service providers, and merchants.

Who does it apply to?

PCI compliance applies to all businesses accepting credit and debit card payments, regardless of their size or their nature. Even smaller merchants using a mobile app at pop-up shops on the weekend are required to meet PCI standards. PCI is the world's largest security standard, as it applies to millions of merchants, processors, ATM companies, and other service providers worldwide.

Who sets the standard and who enforces it?

The Payment Card Industry Security Standards Council (PCI SSC) is the governing body that sets and updates the standard. It was created in 2006 by the major card brands, including Visa, Mastercard, Discover, and American Express in order to have a universal set of rules. The card brands are the ones that enforce the standard, requiring processors to be compliant, validate their merchants, and impose fines if a breach occurs because of non-compliance.

Why do I have to be compliant?

Quite simply, to avoid a potential security breach, compromising sensitive credit card information, and suffering severe fines. Fines imposed by the card brands in the event of a breach can be extremely costly to your business, and sometimes, in the case of a smaller business, crippling. In this digital age, all businesses should want to protect themselves as much as possible and being PCI compliant is an easy step to take to avoid much bigger headaches down the road. By being compliant you also gain access to extended data breach insurance coverage, which would help provide some relief if a breach were to occur.

My payment processor is compliant, does that mean I'm compliant?

The short answer is no. While all payment service providers are required to be PCI-DSS Level 1 compliant, merchants are still responsible for the security scope of their own business environment. A virus-infected computer or a dishonest staff member is all it could take to have someone steal credit card numbers from your business. We recommend that merchants use as many compliant services as possible to help shift the scope of responsibility from their business. These include using your payment provider’s credit card vault, using card readers and terminals that offer end-to-end encryption (E2EE), using hosted payment pages and .js payment plugins, and whatever other tools are available to shift your PCI liability over to your payment provider. But even with a reduced security scope, if you’re a merchant, you must still complete a basic self-assessment questionnaire (SAQ) once per year, confirming that your business is PCI compliant.

For more information you can check out these additional articles: