Watch sessions from Transfer 2024. Featuring Joe Montana, Ben and David from Acquired, and more.Watch Now →

Learn

What is PCI DSS Certification?

Welcome to Learn, where we provide straightforward, easy-to-understand definitions of the payments industry.

Follow us

PCI DSS certification means your business has met the requirements laid out in the Payment Card Industry Data Security Standard (PCI DSS) to secure payment card data.

PCI DSS certification is required for any organization that processes payment card (including credit and debit) transactions.

While PCI Security Standards Council (PCI SSC) cannot legally compel compliance, non-compliant organizations may lose the ability to process payment cards. PCI DSS certification also establishes trust between businesses and their customers by safeguarding sensitive financial information.

What is the History of PCI DSS Certification?

The PCI DSS is the result of a partnership between American Express, Visa, MasterCard, Discover Financial Services, and JCB International in 2004. With payment fraud on the rise, industry leaders in the credit card space joined forces to establish a set of security standards. PCI DSS version 1.0 was introduced in December 2004 and required compliance from all merchants that accepted credit cards.

The next version was released in 2006 and included additional requirements for merchants. That version also created the PCI Security Standards Council (PCI SSC), which oversees the standard.

What Does PCI DSS Certification Look Like in Action?

PCI DSS certification means a business has met the requirements established by the PCI SSC. These are essentially best practices for data security and payment operations that ensure transactions with a given organization are safe. Some common practices under the PCI DSS include:

  • Using antivirus software
  • Encryption and tokenization
  • Firewall installation
  • Data access controls
  • Network monitoring

Overall, there are 12 PCI-DSS requirements across six broad goals, though this includes about 251 sub-requirements. The six broad control objectives include:

  1. Building and maintaining a secure network – companies should install and maintain firewalls to keep cardholder data safe and change vendor-supplied default passwords and other security measures.
  2. Protecting cardholder data – this includes protecting stored and transmitted data, including the use of encryption across open, public networks.
  3. Maintaining a vulnerability management program – organizations should use, update, and maintain antivirus software and develop and maintain secure applications and systems.
  4. Implementing strong access control measures – this includes restricting access to cardholder data on a need-to-know basis, assigning unique IDs to everyone with access, and restricting physical access to sensitive data.
  5. Monitoring and testing networks regularly – companies must monitor and track access to cardholder data and networks as well as regularly test security protocols and systems.
  6. Maintaining an information security policy – this includes maintaining an information security policy.

PCI compliance can become complex depending on the size and business model of an organization. That said, noncompliance can be costly for any business. The reputational damage and monetary losses resulting from a data breach should compel all companies to take PCI DSS certification seriously.

In addition to fines, fees, and penalties for revealing sensitive customer data, lost trust can lead to lost sales. What’s more, breached businesses may be forced to stop accepting payment card transactions – or pay higher transaction fees. PCI DSS certification safeguards businesses from bad actors online but also from excessive costs that can accrue as a result of a breach.

Try Modern Treasury

See how smooth payment operations can be.

Talk to sales
More from

Learn

Learn topic image

Compliance is a crucial function for any company that moves money on behalf of their customers. Dive into the fundamentals behind key compliance processes like KYC, KYB, transaction monitoring, and more.

Compliance risk management (CRM) is the ongoing process of identifying, assessing, and mitigating potential risks that threaten an organization’s business.

Read more

Customer due diligence (CDD) is a process used at financial institutions (FIs) when working with potential new customers.

Read more

The Customer Identification Program (CIP), part of the Know Your Customer program guidelines, requires that financial institutions in the U.S. verify that customers (both individuals and businesses) are who they say they are when they open new accounts for themselves or other people.

Read more

FinCEN, short for Financial Crimes Enforcement Network, is a government bureau that aims to prevent money laundering and other financial crimes—and punish bad actors that commit them.

Read more

Know Your Business (KYB) is a set of verification procedures that helps companies avoid getting into business with criminals.

Read more

The Office of the Comptroller of the Currency (OCC) is a federal agency that "charters, regulates, and supervises" all national banks.

Read more

According to the Department of Labor (DOL), Personal Identifiable Information (PII) is any information from which a person’s identity can be either directly or indirectly inferred.

Read more

A Politically Exposed Person (PEP) is someone that might be more likely to break the law or be corrupt because of the power their position affords them.

Read more

Specially Designated Nationals (SDN) are individuals and entities tied to countries that the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has hit with sanctions.

Read more

A Suspicious Activity Report (SAR) is a report that a bank or other financial institution must file if it suspects that a customer might be breaking the law and committing fraud, financing terrorism, or laundering money.

Read more

Anti-money laundering (or AML) compliance entails a careful adherence to rules and regulations aimed at combating illicit financial activities.

Read more

Know Your Customer or Know Your Client (KYC) is a set of guidelines for verifying the identity of a customer and gauging the associated risk of working with them.

Read more

The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency under the jurisdiction of the US Treasury Department.

Read more

PCI DSS certification means your business has met the requirements laid out in the Payment Card Industry Data Security Standard (PCI DSS) to secure payment card data.

Read more

Service Organization Control 2 (SOC 2) is a voluntary auditing procedure that service providers complete to keep their clients’ data secure from cyber attacks.

Read more

Section 314(a) is part of the USA Patriot Act that enables financial institutions (FIs) and law enforcement to work together to fight money laundering and terrorist activity.

Read more

Section 314(b) and Section 314(a) of the USA Patriot Act both relate to information requests under the Banking Secrecy Act (BSA).

Read more

A currency transaction report (CTR) is a report made by U.S. financial institutions aiming to prevent money laundering.

Read more

An Agent of the Payee is a person, entity, or other intermediary specifically appointed by a payee to process and collect payments on their behalf.

Read more

Identity Verification APIs allow businesses to streamline the process of checking the identities of new users by automatically, and in some cases instantly, verifying their provided identifying information.

Read more

The Bank Secrecy Act (BSA)—also known as the Currency and Foreign Transactions Reporting Act—is a piece of legislation designed to help prevent fraud.

Read more

The Electronic Fund Transfer Act (EFTA) is a federal law in the U.S. that regulates electronic transactions to protect consumers.

Read more

Subscribe to Journal updates

Discover product features and get primers on the payments industry.

Subscribe

Products

Platform

Modern Treasury For

Case Studies

Insights

Documentation

Company

Legal


Popular Integrations

© Modern Treasury Corp.