What is PCI?

Need to understand what PCI is? An overview of the main things you need to know can be found here.

Zen & the Art of PCI Compliance
Top 10 Tips for PCI Compliance
PCI Shrink to Fit
Need some help?

Speak to the Risk Factory Foreman, and he'll tell you everything you need to know.

Call us on 0800 978 8139

In a nutshell:

PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.

To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses. View the latest copy of the PCI DSS

The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.

Implementing the PCI DSS in your business can be daunting if you don’t already have a framework in place to protect sensitive information you process. If you have one, it’s easier to understand the PCI DSS goals and objectives and integrate them into your own.

It’s imperative to understand two things before you start. First, the PCI DSS only applies to your systems that process, store or transmit cardholder data and any systems connected to this Card Data Environment (CDE). So the more you can reduce this scope (such as removing card data from non-essential systems and segmenting the system from the rest of the business) the more you will reduce the costs of implementing the PCI DSS and more importantly, the more you will reduce the risk of losing cardholder data. De-scoping then, should be your first priority.

Secondly, the PCI DSS should not be approached as a checklist of things for the IT Department to do. Your focus in implementing the PCI DSS should be on the process behind the controls. A simple routine that can be easily implemented produces evidence that it’s working, and can be cost-effectively applied year after year after year.

Think of it as Fire & Life Safety program for credit card data. It should be considered a fundamental building block in your businesses Governance, Risk and Compliance (GRC) efforts. Implementing the PCI DSS won’t guarantee that you will never have a breach but it will give you a process to identify, minimise and manage that risk.