As many merchants already know, there are seemingly endless amounts of rules that must be followed in order to maintain a PCI compliant status. With so many rules, you may ask yourself, “Who determines all of these rules anyway?” The answer to this question is the PCI Security Standards Council, also known as the PCI SSC.
The PCI SSC was launched by the five major global payment brands in 2006 in an attempt to establish a security standard for credit card transactions. The standard encompasses every step of the transaction process from the point of entry of card data into a system to the end of the transaction when the card has processed. The goal of this standard is to protect merchants, processors, financial institutions, and anyone else who processes cardholder data from theft and fraud.
The PCI Data Security Standard, or PCI DSS, was initially created by aligning Visa’s security programs (AIS and CISP) with MasterCard’s Site Data Protection (SDP) program. The goal of this alignment was to create a standard for preventing, detecting, and reacting to security incidents involving cardholder data. From this standard, the PCI rules and guidelines are established.
It is important to note that although the PCI SSC maintains the data security standard, they do not validate or enforce any organization’s compliance with the standard. Consequently, the PCI SSC also does not penalize organizations that do not comply with this standard. The power of enforcement and penalization is given to the payment brands themselves.