The PCI DSS is a compliance standard that has been developed in order to help organisations proactively reduce the risk of data compromise and the effects of fraud. The standard contains 12 requirements for implementing effective information and data security practices. These requirements cover technical aspects of security management, and also impact policies and procedures. 

The standard is administered by the PCI Security Standards Council (PCI SSC), an organisation founded by 5 card schemes; American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International. The PCI SSC is responsible for developing and enhancing the PCI DSS in order to make sure that requirements are up-to-date and in line with emerging payment security risks. 

Organisations affected by the PCI DSS include all acquiring banks, all merchants that accept payment cards, and all service providers who store or transmit card or transaction data. Merchants are categorised in 4 tiers depending on the volume of transactions that they process, (tier 1 merchants process the most transactions, tier 4 process the least). The compliance process varies slightly depending on which tier a merchant belongs to.

In order to achieve compliance organisation’s must ensure their systems, and those of any thrid parties they work with, meet the 12 requirements of the PCI DSS. They must then conduct an audit, which is usually carried out by a Qualified Secuity Assessor (QSA). QSAs are certified by the PCI SSC and are responsibe for validating an organisation’s compliance. Compliance must be maintained on an ongoing basis.

Failure to comply or a system compromise that causes customer card details to be used fraudulently may result in a financial penalty or termination of processing services.