This applies to any organization, regardless of industry, that processes credit and debit cards—even if it’s one transaction a year.


Known as PCI for short, this standard concerns controls around cardholder data that are intended to reduce credit card fraud.


PCI began as separate security programs instituted by Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau. Eventually, they formed the Payment Card Industry Security Standards Council (PCI SSC), aligned their individual policies, and in 2004 released unified standards. They have since updated the standards several times.

Penalties for noncompliance

Fines of up to $25,000 per month, and up to $500,000 if data is actually stolen. Or you may not be allowed to process card transactions at all. Validation of compliance is done annually.


This wide-reaching and successful industry security mandate is not a legal one. However, it is enforced by the various payment card brands. And the penalties, noted above, can make it virtually impossible to do business.

The requirements concern six “control objectives”:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain and information security policy

Simply outsourcing payment card processing does not satisfy compliance requirements. The requirements for certification depend on the number of card transactions your business handles each year, as well as such factors as previous data leaks. They range from simply conducting a self-assessment to onsite PCI assessments and regular network scans.