Careers Business Ownership What Is PCI Compliance? PCI Compliance Explained Share PINTEREST Email Print Artem Varnitsin / EyeEm / Getty Images Business Ownership Industries Retail Small Business Restauranting Real Estate Nonprofit Organizations Landlords Import/Export Business Freelancing & Consulting Franchises Food & Beverage Event Planning eBay E-commerce Construction Operations & Success Becoming an Owner By Yvette Glover Yvette Glover Yvette is a financial specialist and business writer with over 16 years of experience in consumer and business banking. She writes in-depth articles focused on educating both business and consumer readers on a variety of financial topics. Learn about our Editorial Process Published on 08/11/21 Payment card industry (PCI) compliance is based on a set of 12 technical and operational standards developed by the PCI Security Standards Council (SSC), an independent body formed in 2006 by American Express, Discover, JCB International, Mastercard, and Visa. These standards apply to any business that accepts, transmits, or stores credit card data. They were created to ensure a secure environment that protects customer and business information against issues such as data breaches. To better understand PCI compliance, it’s important to know what it entails, the requirements, and how it all works. PCI Compliance Definition and Requirements PCI compliance is adherence to a set of standards for credit card security and protection set by the PCI SSC. These standards were created to ensure a secure environment for any business that processes cardholder data. While the PCI SSC developed the standards, the payment brands and merchants are responsible for enforcing compliance. Each credit card brand may have its own specific PCI requirements that businesses need to follow. Business owners should check with each payment brand to ensure they meet all the necessary requirements. Alternate name: Payment Card Industry Data Security StandardAcronym: PCI, PCI DSS PCI Compliance Standards There are 12 standards created by the PCI DSS that cover both technical and operational system components: Maintain a firewall to protect cardholder dataUse high-level security passwords instead of default system passwordsProtect stored cardholder data through proper security protocolsEncrypt the transmission of cardholder dataProtect all systems against malware and regularly update anti-virus programsDevelop and maintain secure systems and applicationsRestrict access to cardholder informationIdentify and authenticate access to all system componentsRestrict physical access to cardholder informationTrack and monitor all access to network and cardholder dataFrequently test security systems and processesMaintain an information security policy for all personnel To protect sensitive cardholder information, it’s the responsibility of every business that processes, transmits, and stores customer card data to ensure PCI standards are met. These standards can help merchants guard against hackers and information thieves. Not meeting these requirements can leave a business more vulnerable to financial damage and could result in costly non-compliance fees assessed by credit card brands. How Does PCI Compliance Work? Each card issuer has its own PCI compliance guidelines, so it’s a good idea for business owners to check with each issuer to ensure they meet the proper qualifications. To be considered PCI compliant, businesses need to go through a three-step process that includes scoping, assessing, and reporting. Scoping In scoping, business owners need to identify all systems that if compromised could impact cardholder data. Scoping is generally an annual process that involves evaluating all systems and ways cardholder data interacts with a business. This process will help determine the type of assessment needed as well as the magnitude and cost. Assessing The assessment portion of PCI compliance consists of either a self-assessment questionnaire or an on-site audit conducted by a qualified security assessor. Which assessment a business will need is determined by the credit card company’s merchant levels. For example, businesses that process under an issuer’s specified number of card transactions each year may only need a self-assessment questionnaire. Business owners can determine their merchant level through each credit card company’s designated website, such as these for Visa, Mastercard, and American Express. Reporting Once business owners complete the self-assessment, they’ll need to report it to the credit card company. Businesses that qualify for an in-person assessment must submit a Report on Compliance to the payment card issuer directly. PCI compliance assessments are only required annually, but business owners may need quarterly vulnerability scans conducted by an approved scanning vendor. Whichever assessment is done, reporting the audit results to the payment card issuers is the final step for PCI compliance. Key Takeaways PCI compliance is the credit card industry set of standards that businesses accepting, transmitting, and storing cardholder data must follow.There are 12 technical and operational standards businesses need to adhere to in order to meet PCI compliance.There is a three-step process to become PCI compliant: scoping, assessing, and reporting.The assessment process either involves taking a self-assessment questionnaire or getting an on-site audit.