PCI is the Payment Card Industry. The most common standard they provide is the PCI Data Security Standard (PCI DSS). The information this standard protects is considered PCI data.
The basic premise is that all cardholder data and sensitive authentication data must be protected.
- Full Primary Account Number (PAN)
- Cardholder name
- Expiration date
- Service code
Sensitive Authentication Data
- Full magnetic stripe data
- PIN blocks
The PCI DSS is an information security standard for organizations that process payment cards with logos from major card issuers including Visa, MasterCard, American Express, Discover, and JCB. Essentially you have a group of competitors coming together to establish proper card handling security.
In a world of many regulated data sets, many people forget or don’t realize that PCI DSS is not a policy. It is a standard. Even though it’s not backed by government regulation, there can still be consequences for being non-compliant. Consequences could include but not be limited to an increased frequency of audits by a Qualified Security Assessor (QSA), hefty fines, or a complete revocation of merchant account status.
To those of you who accept credit cards: When was the last time you completed the Self-Assessment Questionnaire (SAQ)? Are you positive you’re properly scoped?