The Payment Card Industry (PCI) Security Standards Council (an organization formed by the card brands) created the PCI Data Security Standard (DSS) to ensure that businesses follow best practices for protecting their customers’ credit card information.
Businesses fitting one or more of the following criteria are subject to the PCI DSS requirements:
- A business that accepts credit or debit cards for payment, even if using a third-party vendor’s hardware, software or application to do so;
- A service provider that stores credit/debit card data on behalf of another business; and/or
- A hosting provider or other service provider that processes or transmits credit/debit card data on behalf of another business.
What's the point of PCI compliance?
The same technologies that make everyday business efficient also make it easy for hackers to access sensitive information. That’s why a business taking “just a handful” of credit cards is no less obligated to protect that card data than the major retailer running thousands of transactions.
When fully and accurately implemented, the 12 requirements of the PCI DSS work together to provide your business with defense-in-depth; that is, multiple layers of security that make it much more difficult for an attacker to gain access to your customers’ sensitive data. Studies have shown that cyber thieves and their automated tools most often seek out basic mistakes such as weak passwords, misconfigured technologies and uneducated employees. The PCI DSS addresses these and other areas of weakness to effectively shield your business.