Payment card industry standards are the standards that guide how credit card companies and the merchants they do business with handle credit card data and process payments. Basically any standards or best practices that are widely followed in the credit card industry could be called payment card industry standards. However, the phrase is most often used in connection with the universal Payment Card Industry Data Security Standard, also known as PCI DSS. The PCI DSS is a document pioneered by five major credit card companies that provides guidance on how to store credit card numbers and receipts, how to secure merchant computer networks, and how to handle outsource payment processing, among other things. Compliance with the payment card industry standards set out in the PCI DSS is technically voluntary, but failure to comply often has negative consequences for companies and store owners.
Credit cards are frequently used to pay for everything from large, one-time purchases to everyday needs like groceries and gas. When a customer swipes a credit card, a computer system owned by the merchant reads the credit card information, then transmits that information over an Internet connection to the credit card company’s computer mainframe for authentication. Although this transaction usually only takes a number of seconds, it involves a lot of highly sensitive information. If that information is not properly protected, it can open both card owners and merchants up to fraud. Mainstream payment card industry standards are designed to prevent, or at least reduce the likelihood of, that fraud.
Although some countries set uniform data security standards for financial transactions, not all do. Even the laws that exist usually regulate the financial industry broadly, a minimum standard that is not tailored to the credit card industry’s needs. Broad-sweeping payment card industry regulations simply do not exist. If widely enough adopted, payment card industry standards can fill this gap.
One of the major benefits of payment card industry standards is that they are created for and by the companies that use and deal with credit cards the most. By their very definition, standards are voluntary, and no law compels companies to adopt them. When enough companies begin implementing agreed-upon payment card standards, however, the standards often become universally expected. Standards like the PCI DSS aim to unify credit card security measures all over the world.
The PCI DSS was originally drafted by a group known as the PCI Security Standards Council. That council is made up of representatives from five of the world’s biggest credit card companies: American Express®, Discover®, JCB®, MasterCard®, and Visa®. Along with drafting and updating the standards, the council strives to improve general credit card industry standards and industry regulations. The council educates the privacy and security sectors about credit card data security in furtherance of this goal. It also provides training programs and sponsors conferences aimed at helping companies become compliant.
Each of credit card companies with a stake in the PCI Security Standards Council requires vendors who accept their cards to comply with the council’s payment card industry standards. This means that vendors must adopt and monitor how their systems implement the payment card industry specifications set out in the standards if they want to continue accepting credit cards as payment. Credit card companies usually audit large companies’ compliance themselves on an annual basis. Small businesses are usually permitted to self-report their compliance. If a merchant is discovered to be failing compliance, penalties can range from fines to complete revocation of the payment card service, depending on the severity of the violation.