Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

PCI Data Security Standard

Overview

What is the Payment Card Industry (PCI)

Data-security-breach costs - both direct and indirect - can run very high. They include fines and monetary penalties levied by the card companies, the cost of reissuing and replacing cards, litigation, and remediation and mitigation expenses. More important, a company risks loss of reputation and loss of business. Having taken effect on June 30, 2005, the PCI data security standard applies to the payment card industry worldwide, harmonizing earlier standards to regulate the security of MasterCard, Visa, and other credit-card organization payment-card systems. In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to PCI 1.0.

Who should be concerned about PCI

The PCI standard applies to all member financial banks, merchants, and service providers (third-party processors and storage entities) that store, process, or transmit cardholder data.

Merchant banks (member banks serving the merchant) may be required to ensure not only their own compliance, but also that of their merchants and service providers. Merchant banks are required to have certified proof of compliance from all merchants with more than 20,000 e-commerce transactions per year.

What systems are impacted by PCI

The requirements apply to all "system components," defined as any network component, server, or application included in, or connected to, the cardholder data environment. The phrase network component refers to firewalls, network appliances, routers, switches, wireless access points, and other network and security components. Servers include, but are not limited to, authentication, database, domain name service (DNS), email, network time protocol (NTP), proxy, and Web servers. Applications include all purchased and custom applications, including internal and external (Web) applications. Thus, small, medium, and large entities are affected, and the requirements apply to all payment channels: telephone, Web, mail, and in the store.

More About PCI: