What is PCI?
PCI stands for: Payment Card Industry denoting the debit, credit, pre-paid, e-purse, ATM and POS (Point of Sale) terminal and associated businesses.
But PCI is specifically referring to the Payment Card Industry Security Standards Council, a council formed by:
- American Express
The PCI Council develops and maintains (so far) 3 standards that work together to protect payment transactions and cardholder data.
- PCI DSS: (My bible) It covers systems that store, process, or transmit cardholder data and is used by acquirers, issuers, merchants, service providers and us.
- PCI PA-DSS: it covers payment applications and is used by application developers.
- PCI PTS: It covers point-of-interaction devices (or POIs) used for PIN entry.
PCI DSS isn't a regulation but a contract
PCI DSS is a contract that starts at payment card brands and is propagated through merchant banks to merchants. It is not a regulation. This contract requires merchants to protect payment card data using security controls, but it also requires organizations to contract for external testing, contractually require service providers to adhere to PCI DSS standards, and conduct audits regularly. These activities all involve IT security, but are by no means the sole responsibility of the security team.
In the next newsletter we will have a look to the payment processing terminology and workflow. In the meantime, if you want to learn more - Check out our PCI content on rapid7.com.
Risk Product Manager