Payment Card Industry (PCI) Data Security Standard (DSS)

In 1999, Visa USA developed the Cardholder Information Security Program (CISP). The goal of this program was to assure cardholders that their account information was safe, regardless of where it was offered for payment. Originally intended to secure credit card transactions over the Internet, the CISP was expanded and mandated in June 2001 to apply to all payment channels, including retail (brick and mortar), mail/telephone order, and e-commerce. To achieve CISP compliance, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS, the result of collaboration between Visa and MasterCard, is designed to create common industry security requirements that incorporate the CISP requirements. Visa, MasterCard, American Express, Diner’s Club, Discover, and JCB USA have each endorsed the CISP and PCI DSS. If a member, merchant, or service provider does not comply with the security requirements or fails to rectify a security issue, they could face fines of up to US$500,000 per incident, or restrictions imposed by the credit card companies, including denying the member's, merchant's, or service provider's ability to accept or process credit card transactions.

Who Must Comply with PCI?

Any organization that stores, processes, or transmits Primary Account Number (PAN) data must comply with PCI DSS requirements. However, even organizations that do not store or transmit PAN data may decide to use the PCI DSS requirement document as an internal security best practice guideline by which they measure and implement their own data security standards.

Refer to PCI DSS Requirements for information about specific PCI DSS requirements addressed in EFT.