What Is PCI Compliance?

According to data from Statista, 40% of point-of-sale payments made in 2021 were done so with a credit card, followed by debit cards at 30%. Cash usage continues to decline year over year. With credit and debit card use so ubiquitous, it's important to understand that the cards we use to pay for goods and services are actually safe and secure.

Every company that accepts credit or debit cards as a form of payment must adhere to a stringent set of security standards protecting customer data from being stolen or compromised. In other words, they must be "PCI compliant." But there's a good chance that most people haven't heard the term "PCI compliance" or even know what the "PCI" stands for, so let's begin there. The term "PCI" stands for Payment Card Industry and is typically used to describe institutions that use and process all types of payment cards, such as debit and credit cards.

When online shopping and E-commerce exploded in the late 1990s, payment fraud became an issue, so credit card companies started establishing their own set of security standards to combat the rise in fraudulent activity.

The history of PCI compliance

In 1999 Visa announced it would implement the Cardholder Information Security Program (CISP). The goal was to protect cardholder data using the highest information security standards possible throughout the entire transaction process. This move forced Mastercard, American Express, and Discover to implement security programs of their own, and over the next five years, merchants had to deal with a dizzying array of standards from each company.

In 2004 the PCI's founding members — Visa, MasterCard, JCB International, American Express, and Discover — finally agreed on a unified common set of standards known as PCI DSS 1.0. Two years later, it released Version 1.1, which made merchants review online applications and establish firewalls for extra security. This set of standards became officially known as the Payment Card Industry Data Security Standards (PCI DSS), and the creation of the Payment Card Industry Security Standards Council (PCI SSC) was born.

The PCI SSC constantly evolves with technology to provide the best security to consumers. Version 1.2 was released in 2008 and created guidelines for protecting wireless networks and administering antivirus software. New versions have been released every few years, with version 4.0 announced in March 2022. While this new version won't go into effect until 2024, it updates firewall terminology and network security controls to keep up with the latest technologies. It will also require companies to implement multi-factor authentication (MFA) for all access to cardholder data, among other requirements.

The 12 key requirements of PCI compliance

Becoming "PCI compliant" is not a simple task. According to Investopedia, the PCI DSS has 12 key requirements, another 78 base requirements, and well over 400 testing procedures. To be "PCI compliant," a company must follow these 12 requirements.

  1. It must build and maintain a secure network that includes firewalls to protect cardholder data from hackers and unauthorized access to private data.
  2. Companies can never use vendor-supplied passwords or other default security parameters as provided. Compliance standards also require the company to keep a log of all devices and software that requires a password or some other means of security to access. It must maintain a device-password inventory and change the passwords regularly.
  3. Stored cardholder data — including primary account numbers (PAN) — must be protected with encryption keys, and those encryption keys also need to be encrypted. Regular scanning and maintenance are required to ensure there is never unencrypted data.
  4. Any time cardholder data is sent through open, public networks, that data must be encrypted. Additionally, account numbers can not be sent to unknown locations.
  5. Every computer should have anti-virus software installed, but the PCI DSS requires it to be installed on every device that interfaces with or stores the primary account number (PAN). This software must be routinely patched and updated.
  6. Companies must develop and maintain secure systems and applications by constantly updating every piece of software that comes in contact with cardholder data. Software patches must address any recently discovered vulnerabilities that hackers may use to compromise private data.

Security in all PCI compliance measures

The rest of the list has to do with access control, monitoring, and maintaining security. Since PCI compliance has to do with digital records just as much as it has to do with money, it's important for companies to stay vigilant not only now, but well into the future.

  1. Access to cardholder data should be classified as strictly "business need-to-know," and a log of the personnel who have access to this information must be maintained, documented, and updated regularly.
  2. Each person who has access to cardholder data must have unique login credentials. No two people should ever have the same username or password.
  3. Physical access to cardholder data must be restricted via security measures. Logs must be maintained for those who do need access to this information. Physical security measures include CCTV coverage of the area, key card access, vault combinations, etc.
  4. Companies must track and monitor all access to network resources and cardholder data. PCI DSS compliance requires companies to document how cardholder data flows into the organization and the number of times that data is accessed.
  5. It is vitally necessary for companies to regularly scan and test security systems and processes for vulnerabilities to keep cardholder data secure.
  6. Everything from the moment cardholder data enters the organization, how employees access data, where it is stored, and how it is stored all require documentation. Proper record-keeping can be the hardest part of staying "PCI compliant."

PCI compliance isn't required by law, but still considered mandatory

The law doesn't require PCI compliance but is considered mandatory based on a court case involving the FTC and Wyndham Worldwide Corporation. PCI compliance provides several benefits to a company, such as reducing the number of data breaches, which in turn avoids fines, settlements, and the cost of reissuing new payment cards. Companies that remain PCI compliant show customers their data is secure from identity theft, so consumers can feel safe that their data won't be compromised. Companies that find any part of their process to be outside the bounds of PCI compliance can find themselves in hot water. The Federal Trade Commission (FTC) helps to enforce PCI compliance in its quest to protect consumers against fraud and unlawful practices in the marketplace. 

Despite the protections afforded by the requirements of PCI compliance and the best efforts of the FTC, data breaches occur frequently, and 68% of businesses feel cybersecurity risks are on the rise. According to Cybint, 95% of breaches are caused by human error, and a hacker attacks every 39 seconds.

Stay secure beyond PCI compliance promises

One of the most public security breaches in recent memory occurred in 2017 when the systems at Equifax were breached, and the names, phone numbers, home addresses, birth dates, and social security numbers of 148 million Americans were exposed. Additionally, the credit card numbers of some 209,000 people were compromised, suggesting that for all the good PCI compliance does for consumers on a daily basis, we still have some work to do in our ever-evolving modern digital age. Examples like the Orbitz data breach, the data breach at Robinhood, and the recent Cash app breach remind us that no single service is infallible.

Make sure you keep a close eye on your digital accounts, request a new credit card number from time to time, and always keep your passwords secure. Never, ever use default passwords, and do not assume that because you can't imagine ever being targeted by a malicious party, you won't find yourself part of a massive data breach one day. Stay vigilant and make sure you're not taking any low-security measures for digital payments for the sake of convenience. No matter how secure any credit card suggests it'll be, there'll always be room for human error.