The Payment Card Industry (PCI) emerged during the early days when the Internet was becoming popular for commerce, and businesses began accepting credit cards for online sales. The card issuers began to see fraud and realized that additional security measures were needed to manage the potential risk. Initially, credit card issuers developed and imposed their own security standards on businesses that used their cards for online transactions. However, it quickly became clear that working together was more likely to receive widespread adoption than having each issuer impose its own requirements on the businesses. In 2004, a group represented by American Express, Discover Financial Services, JCB International, Mastercard, and Visa was formed to develop a single set of standards. In December 2004 the PCI Data Security Standards (DSS) 1.0 (now updated to PCI DSS 4.0) was created and shared publicly. At that time, all merchants who accepted credit cards, plus payment processors (i.e., entities that process payments on behalf of merchants), were required to comply with the standards.

In 2006, the PCI founders created a quasi-independent organization to continue driving the standards and increase compliance. The PCI Security Standards Council was created and updated the standards to 1.1, which included requirements for online application review and firewall deployments.

Since 2006, the PCI DSS updates have occurred every 1-2 years. The current version is PCI DSS 4.0, which was released in March 2022 with new requirements coming into effect in March 2024.

As the PCI DSS matured, it also expanded its scope. Today, virtually any business that handles cardholder data must comply with  PCI DSS. Specifically, PCI DSS applies to all entities (merchants and service providers) involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

This is an interesting question. In almost all other compliance cases, some legislative body passed a law or regulation with specific requirements for certain things, and they authorize the imposition of sanctions for non-compliance. In this case, the organization creating the rules is not an elected government entity, and the sanctions, while real, are not backed up by a powerful and forceful government. However, the power of the card issuers should not be underestimated. Their powers include fines and even under extreme circumstances revocation of all rights to use the card in business transactions.

There are many reasons why companies should comply with PCI DSS. From an ethical perspective, a company should strive to protect its customers from harm, which includes fraud resulting from misuse of the cardholder data. From a financial perspective, the card issuers have tremendous flexibility in determining how, when, and how much to penalize an entity for non-compliance. Unlike state, federal and local statutes, the card issuer is not required to warn them in advance of the actual cost (or even the range) that can be imposed on a merchant or other entity handling cardholder data. Additionally, whether a business or other processing entity knows it, they are required to sign legal documents before accepting credit cards that include their obligations to protect cardholder data and the possibility of  sanctions that can be imposed for non-compliance. 

Finally, PCI DSS, in fact, represents nothing more than a set of industry best practices that all companies should implement and support whenever sensitive data is being stored, processed or transmitted. For many companies that have achieved some level of maturation in information security, the additional reporting requirements are minimal and the benefits significant whenever credit cards are used in online transactions.

Unfortunately, the authors and sponsors of the PCI DSS are very similar to government lawmakers: they do not make rules that are crystal clear and easy for most people to understand and support. Many businesses in the world are small and medium sized sized , and their core competency is not information technology, information security, or compliance. Consequently,  most companies do  require help from professionals who are PCI DSS specialists and can help the client develop and implement a compliance plan. The good news is that they find many potential choices. Also, the good news is the fact that the PCI DSS compliance validation requirements are less strict for companies that do a small volume of credit card transactions annually, while larger companies have stricter guidelines and must adhere to additional testing and validation procedures.

Planet 9, a San Francisco Bay Area-based organization, employs seasoned professionals with years of experience working in various private industries including e-commerce, finance, healthcare, manufacturing and technology. With PCI compliance, not only do we have consulting experience helping clients become and remain compliant, but we also have former security Chief Information Security Officers and compliance managers from private industries who have personally been accountable for PCI compliance. Depending on the size of the company and the volume of annual credit card transactions, the following activities will be considered:

• Conduct a kickoff session to discover the types and volumes of credit cards over the past three years.
• Review the history of PCI DSS compliance validation efforts and results.
• Evaluate the ‘security maturity’ of the organization to establish a baseline and a rough determination of the likelihood of full compliance.
• Using the four levels of transaction volumes combined with the credit card brands accepted, determine the specific validation requirements.
• Based on the security maturity and validation requirements, prepare a plan that will either begin with an assessment and validation or will involve an initial effort to raise the organizational maturity to a level where that step will be required before any validation can begin.
• If increasing security maturity is advised, develop a roadmap for mitigating the identified compliance gaps and risks, and then assist the client in executing the roadmap.
• If the organization is ready for validation assessment, prepare and share the requirements and steps required to complete the validation based on the merchant level.
• Once the validation is complete, advise the client about how to prepare for future validation efforts (required quarterly).

Depending on the client’s internal resources expertise and availability, Planet 9 can implement the entire road map, position the client to execute the road map on their own or supplement the client’s team. Note that for all but PCI level 1 merchants (e.g., for Visa more than 6 million transactions annually), a Self-Assessment Questionnaire (SAQ) can be completed by the organization, and then be accompanied by a quarterly (successful) network scan performed by an Approved Scan Vendor (ASV). Also note that any negative findings are likely to result in a failed validation which places the organization at risk for sanctions that can include fines and additional and stricter validation requirements that involve using a Qualified Security Assessor (QSA) in place of the SAQ.