The Payment Card Industry: Standards and Practices

We take a lot for granted with our credit cards.

Case in point: we assume their security and their reliability simply happens, with little input or notice from us. We process billions of transactions every year across the country, over the internet and in person. And the majority of the time, those transactions are fast, secure, and reliable. We only notice when something goes wrong, which is comparatively rare for such a massive industry. But still it happens—and too often.

So how does it all work? What’s the secret?

Payment Card Industry (PCI) compliance is a set of standards and practices mandated by the credit card companies to ensure security for all transactions and payments in the industry. These standards refer not only to the technical standards of compliance, but also the operational ones that businesses must follow to provide a seamless and security-based experience for all customers and their transactions.

PCI standards are developed and managed by the PCI Security Standards Council. This council was originally formed by American Express, JCB International, MasterCard, Discover Financial Services, and Visa, Inc., in 2006. You likely recognize most or all of those names—they’re the heavy hitters in credit cards and the financial industry. Their cooperation over these standards helps maintain interoperability, trust, and a seamless experience that ensures transactions follow a core set of values that make all customers secure.

The PCI Council created a series of security standards known as the Payment Card Industry Data Security Standard (PCI DSS). These standards are formed by twelve significant requirements and sub-requirements, with different operational directives and guidelines under each item. The twelve items are:

• Implement and configure firewalls to protect data

• Password protection

• Protect cardholder data

• Encrypt transmitted cardholder data

• Use antivirus software

• Keep software and security systems updated

• Restrict access to cardholder data

• Assign unique IDs to those with data access

• Restrict the physical access of data

• Create and monitor access logs

• Keep security systems tested regularly

• Create documented policies that are easy to follow

These twelve items for the requirements that credit card processors must follow at all times to be PCI compliant. The most recent updates to the PCI DSS guidelines was implemented in 2018. Codes and standards are continuously updated and studied to ensure they are current best practice and reflect a massive and evolving industry.

There are other industry standards and guidelines, such as the Payment Application Best Practices (PABP), that manage other facets of the industry. Security measures are continually tested and refined, and the council actively encourages feedback and studies to reinforce new decisions and guidelines that emerge from the real-time testing of rolled out standards.

What Are the Benefits of PCI Compliance?

PCI Compliance keeps customers and their data secure.

Many organizations keep highly sensitive personal data on file, such as cardholder information, social security numbers, driver’s licenses, and other personally identifying information that could be damaging if released or unsecured. All companies that process credit card information must follow PCI standards and be fully compliant with regulations for their processing agreements. They have a big incentive: there’s a lot of money and convenience in using credit cards for monetary transactions, and the risk of losing access to that can be fatal to a business. Following set standards not only helps customers, but helps the business as well.

Testing of PCI standards and assessment of security gaps is highly valuable to the industry. Now more than ever, personal data and payment information is at the mercy of hackers and bad actors. We hear about massive data breaches of large organizations practically daily. Many of us have likely had to get a new credit or debit card following a known breach of security at a major retailer or credit processor, such as Target in 2013. Target eventually settled this breach to the tune of $18.5 million. When it comes to payment processing, there’s a lot of money to be made—and lost. In Target’s case, cyber attackers had accessed Target’s gateway server through stolen third-party vendor credentials.

Cardholder data isn’t a one-size-fits-all definition—it can come from many different places, as shown through the Target example above. Hy Vee suffered a year-long breach through infected point-of-sale devices, and the breach was not noticed until far too late; massive amounts of personal data were stolen.

Other potential failure points include:

• Compromised card readers, as in Hy Vee’s case

• Paper records, filed or otherwise

• Data stored in databases, onsite or off

• Unintended access to an organization’s wireless or wired network

• Cameras recording authentication data, such as concealed computer cameras

Companies that are in PCI compliance must also routinely conduct audits and issue compliance reports. While PCI compliance is not required by law, it is considered mandatory due to court precedent. Given the power and market domination of the big credit card players mandating the standards, it’s easy to see why companies follow these guidelines so carefully and are eager to not run afoul of PCI compliance.

Aside from the legal and business aspects of the standards, it’s important to remember one crucial thing: the customer experience is vital to a successful industry. Businesses thrive when its customers feel safe, secure, welcomed, and able to trust the institutions they do business with on a daily basis. No one wants to feel they’ll lose money or their identity if they do business with a company, even for a small transaction or a quick purchase. Any size company has a duty to maintain high trust for its customers because business is built on the foundation of a seamless, secure experience across the board.

Whether you’re a small or large company, established or just starting out, PCI compliance and regulation is a large topic that deserves careful consideration and dedication to following its standards. These standards continually evolve to protect us all and the customers we serve, and the benefits of adapting to a changing world are enormous. If you’re not currently following PCI guidelines or implementing security programs for protected data, do so immediately. If you’ve been lax in your following, now’s a good time to revamp your security program and reinvest time and money to become compliant.

Visit the official PCI Security Standards Council for more information on how to become compliant and stay within regulations continually.