What are the payment card industry standards?

PCI is the common abbreviation for Payment Card Industry Data Security Standards promulgated by the PCI Security Standards Council, LLC. This is an industry group that consists of the major credit card issuers and processing firms. It has developed a set of standards related to the security of credit card transactions and the protection of the data involved in those transactions.

All merchants accepting payment cards issued by Visa, MasterCard, American Express, Discover or JCB must be PCI compliant. PCI does not certify or verify any specific firm’s compliance with their standards. Compliance is evaluated either by an independent organization certified by PCI, or by a self-assessment completed by the merchant. The merchant should contact the acquiring financial institutions with whom they have merchant agreements (e.g., their merchant banks) to determine the type of assessment that should be completed.

The PCI standards are designed to protect banks and consumers from data breaches related to their card transactions.

There are various categories of self-assessment defined, depending on how the merchant obtains and stores cardholder data. The PCI website has tools to help identify the appropriate category of self-assessment for your exposures. The core elements of the Data Security Standards are summarized on the PCI website

To access the self-assessment tools at the PCI web site please visit their document library. 

You should start with determining the category of self-assessment that applies to your business and then download the appropriate self-assessment questionnaire that applies to that category.

There are lists of third-party hardware suppliers and audit firms that have been approved by PCI to help firms meet the standards. Links to these firms can be found here (see the Assessors & Solutions tab).

There are very detailed requirements for hardware and software as well as administrative procedures and policies. If you have concerns about your exposure to a data breach incident, you should use these resources to help manage this risk.

This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation. By providing this information to you. The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

LC NOV 2018 14-97
171-0940 (6/17)