PCI compliance is following a set of guidelines designed to protect customer credit card and debit card information. The guidelines apply to merchants and anyone handling customer credit card information.
In September 2006, the major credit card companies, VISA, Master Card, American Express, Discover, and JCB, created an independent body called the Payment Card Industry Security Standards Council to address the changes that were happening so quickly in the payment card industry, improve security, and protect customer information.
The Council came up with the Payment Card Industry Data Security Standards, a set of rules that applies to all companies that handle, accept, process, or have any contact with customer payment card information. In all, there are 12 standards divided into 220 sub-standards that are grouped into six groups. The standards require these companies to maintain a secure environment and store data on a secure server. Companies using the internet must choose a PCI compliant host.
In addition to administering and updating the PCI standards, the PCI SSC has been vocal in supporting the move toward payment cards with encrypted chips for storing customer data. The old method of using magnetic strips did not encrypt data and made it easy for cyberthieves to skim the data and encode it onto new cards that pass validation checks. The new chips are harder to read and much harder to duplicate. The Council has also established standards for wireless LAN and cloud-based transactions.
Despite these efforts, security breaches involving major retailers and credit bureaus and the theft of sensitive customer data have led to criticisms of the PCI Council and the standards. Critics charge that some groups of merchants receive preferential treatment, despite these groups having the majority of fraud cases, that the standards are difficult to understand and are unevenly applied, and that the agency is more interested in collecting fines than protecting card information.