A Primer on PCI DSS

Posted by Tiffany Taylor and Alison Arthur on 10 Mar 2021

PCI DSS is a set of data security standards that apply to all organizations that store, process or transmit cardholder data. These standards were developed to help ensure that this sensitive data is handled safely and to help protect underlying cardholders. PCI DSS applies to all organizations that accept or process cardholder data, regardless of the size of the company or the industry it serves.

Who enforces PCI DSS?

The PCI Security Standards Council (PCI SSC) was formed by the major payment card brands (American Express, Discover, JCB, Mastercard, and Visa) to oversee and manage PCI DSS. However, the PCI SSC does not enforce PCI DSS—that responsibility falls to the payment card brands. Each card brand has specific requirements for validating merchant compliance and associated reporting standards.

But our business doesn’t store cardholder data. We work with a third-party vendor that does this on our behalf.

Even if your business doesn’t store cardholder data, PCI DSS still applies to the environment that transmits or processes cardholder data. This includes any service providers that store, process, or transmit cardholder data on your business’s behalf.

What is cardholder data?

At a minimum, cardholder data includes the full primary account number (PAN) that appears on the card. It can also include the full PAN plus the account holder’s name, expiration date, and/or the service code of the card.

How does PCI DSS apply to the software vendors that we use to accept payments?

The Payment Application Data Security Standard (PA-DSS) applies to software vendors and payment application vendors that store, process, or transmit cardholder data on behalf of third parties. The payment card brands encourage merchants to use payment solutions that are tested and approved by the PCI SSC; however, it’s important to note that using a third-party vendor doesn’t exclude the associated merchant from PCI DSS compliance. While it may reduce their scope of PCI DSS compliance, it won’t exclude them from it altogether.

How do the payment card brands enforce compliance with PCI DSS?

There are two primary tools that the payment card brands use to help ensure that merchants are PCI DSS compliant:

Qualified Assessors (QSA) and Approved Scanning Vendors (ASV)

QSAs are approved by the PCI SSC and perform assessments of PCI DSS compliance. ASVs are also approved by the PCI SSC; however, they focus on performing vulnerability scans of both the merchant and the service provider environments that face the internet.

Self-Assessment Questionnaire (SAQ)

For eligible organizations, SAQ is a validation tool that merchants can use to perform self-assessments of their PCI DSS compliance.

What happens if our business doesn’t comply with PCI DSS?

Failure to comply can result in significant fines from the payment card brands. It’s important to note that the payment card brands will impose these fines on their member banking institutions, who will then pass these fines along to the responsible merchants. In some cases, these fines can lead to the cancellation of merchant accounts by their acquirers.

Is PCI DSS compliance a one-time thing?

No. Ensuring the security of your cardholder data is an ongoing endeavor that requires communication and teamwork between many disciplines. In addition, PCI DSS compliance is predicated upon validation levels that are set by the card brands and based upon transaction volume. As your business grows and changes over time, so might your PCI DSS validation level. In addition, industry requirements and card brand rules may change as well. It’s your business’s responsibility to be aware of these changes and react accordingly.

The Bottom Line: Accepting electronic payments opens businesses up to the possibility of fraud. PCI DSS compliance is an important piece of a larger data security and fraud prevention strategy. For more information on PCI DSS, please visit www.pcisecuritystandards.org.

If your business initiates web debit transactions, you will also want to know about the new Nacha WEB Debits operating rule, which requires bank account validation. Read more in Understanding the Nacha 2021 Rule Change.

*This is an update on an original post published May 2018

Tiffany Taylor Blog Contributor Tiffany Taylor is a technology marketing professional with broad expertise in a number of marketing disciplines and financial technology expertise including payments, retail and digital banking, core processing, and lending. As the owner of Tiffany Taylor Marketing, Tiffany brings a well-rounded perspective to FinTech marketing and creative content development.

Alison Arthur Product and Content Marketing Manager Alison creates timely product marketing and thought leadership content that keeps Alacriti's community informed on the latest developments in billing and payments technology. With a background in payments and financial services, Alison specializes in composing content related to technology, security, compliance, and overall industry trends.

02 Apr 2024 Blog What is CFPB Section 1033 and How Will it Affect Financial Institutions? Discover the core elements of CFPB’s Section 1033 regulation and its effects on community banks and credit unions.
08 Feb 2023 Blog The Rules and Regulations of Online Payments Accepting online payments means that businesses are subject to regulations from various entities. Here’s an overview of rules pertaining to Nacha, the card networks, PCI DSS, and Know Your Customer (KYC).
01 Feb 2023 Blog Faster Payments Are Set to Revolutionize Modern Digital Payments When it comes to payments modernization, how does it fit into an overall seamless digital banking experience? This blog highlights the importance of ease of use and instant gratification in the user’s banking experience.