Registration for Transfer 2024 is open.Save your spot today →
PCI DSS certification is required for any organization that processes payment card (including credit and debit) transactions.
While PCI Security Standards Council (PCI SSC) cannot legally compel compliance, non-compliant organizations may lose the ability to process payment cards. PCI DSS certification also establishes trust between businesses and their customers by safeguarding sensitive financial information.
What is the History of PCI DSS Certification?
The PCI DSS is the result of a partnership between American Express, Visa, MasterCard, Discover Financial Services, and JCB International in 2004. With payment fraud on the rise, industry leaders in the credit card space joined forces to establish a set of security standards. PCI DSS version 1.0 was introduced in December 2004 and required compliance from all merchants that accepted credit cards.
The next version was released in 2006 and included additional requirements for merchants. That version also created the PCI Security Standards Council (PCI SSC), which oversees the standard.
What Does PCI DSS Certification Look Like in Action?
PCI DSS certification means a business has met the requirements established by the PCI SSC. These are essentially best practices for data security and payment operations that ensure transactions with a given organization are safe. Some common practices under the PCI DSS include:
- Using antivirus software
- Encryption and tokenization
- Firewall installation
- Data access controls
- Network monitoring
Overall, there are 12 PCI-DSS requirements across six broad goals, though this includes about 251 sub-requirements. The six broad control objectives include:
- Building and maintaining a secure network – companies should install and maintain firewalls to keep cardholder data safe and change vendor-supplied default passwords and other security measures.
- Protecting cardholder data – this includes protecting stored and transmitted data, including the use of encryption across open, public networks.
- Maintaining a vulnerability management program – organizations should use, update, and maintain antivirus software and develop and maintain secure applications and systems.
- Implementing strong access control measures – this includes restricting access to cardholder data on a need-to-know basis, assigning unique IDs to everyone with access, and restricting physical access to sensitive data.
- Monitoring and testing networks regularly – companies must monitor and track access to cardholder data and networks as well as regularly test security protocols and systems.
- Maintaining an information security policy – this includes maintaining an information security policy.
PCI compliance can become complex depending on the size and business model of an organization. That said, noncompliance can be costly for any business. The reputational damage and monetary losses resulting from a data breach should compel all companies to take PCI DSS certification seriously.
In addition to fines, fees, and penalties for revealing sensitive customer data, lost trust can lead to lost sales. What’s more, breached businesses may be forced to stop accepting payment card transactions – or pay higher transaction fees. PCI DSS certification safeguards businesses from bad actors online but also from excessive costs that can accrue as a result of a breach.
Try Modern Treasury
See how smooth payment operations can be.
Compliance is a crucial function for any company that moves money on behalf of their customers. Dive into the fundamentals behind key compliance processes like KYC, KYB, transaction monitoring, and more.
- 1Compliance Risk Management
- 2Customer Due Diligence
- 3Customer Identification Program
- 4Financial Crimes Enforcement Network (FinCEN)
- 5Know Your Business (KYB)
- 6Office of the Comptroller of the Currency (OCC)
- 7Personal Identifiable Information (PII)
- 8Politically Exposed Person
- 9Specially Designated Nationals
- 10Suspicious Activity Report
- 11What is AML Compliance?
- 12What is Know Your Customer (KYC)?
- 13What is OFAC?
- 14What is PCI DSS Certification?
- 15What is SOC 2?
- 16What is Section 314(a)?
- 17What is Section 314(b)?
- 18What is a Currency Transaction Report?
- 19What is an Agent of the Payee Exemption?
- 20What is an Identity Verification API?
- 21What is the Bank Secrecy Act (BSA)?
- 22What is the Electronic Fund Transfer Act?
Subscribe to Journal updates
Discover product features and get primers on the payments industry.