What are the payment card industry standards?
PCI is the common abbreviation for Payment Card Industry Data Security Standards promulgated by the PCI Security Standards Council, LLC. This is an industry group that consists of the major credit card issuers and processing firms. It has developed a set of standards related to the security of credit card transactions and the protection of the data involved in those transactions.
All merchants accepting payment cards issued by Visa, MasterCard, American Express, Discover or JCB must be PCI compliant. PCI does not certify or verify any specific firm’s compliance with their standards. Compliance is evaluated either by an independent organization certified by PCI, or by a self-assessment completed by the merchant. The merchant should contact the acquiring financial institutions with whom they have merchant agreements (e.g., their merchant banks) to determine the type of assessment that should be completed.
The PCI standards are designed to protect banks and consumers from data breaches related to their card transactions.
There are various categories of self-assessment defined, depending on how the merchant obtains and stores cardholder data. The PCI website has tools to help identify the appropriate category of self-assessment for your exposures. The core elements of the Data Security Standards are summarized on the PCI web site. You can click on the link below to see this summary:
https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
To access the self-assessment tools at the PCI web site please visit:
https://www.pcisecuritystandards.org/document_library?category=saqs&results
You should start with determining the category of self-assessment that applies to your business and then download the appropriate self-assessment questionnaire that applies to that category.
There are lists of third-party hardware suppliers and audit firms that have been approved by PCI to help firms meet the standards. Links to these firms can be found at: https://www.pcisecuritystandards.org(see the Assessors & Solutions tab).
There are very detailed requirements for hardware and software as well as administrative procedures and policies. If you have concerns about your exposure to a data breach incident, you should use these resources to help manage this risk.
To learn more about Hanover Risk Solutions, visit hanoverrisksolutions.com
The recommendation(s), advice and contents of this material are provided for informational purposes only and do not purport to address every possible legal obligation, hazard, code violation, loss potential or exception to good practice. The Hanover Insurance Company and its affiliates and subsidiaries ("The Hanover") specifically disclaim any warranty or representation that acceptance of any recommendations or advice contained herein will make any premises, property or operation safe or in compliance with any law or regulation. Under no circumstances should this material or your acceptance of any recommendations or advice contained herein be construed as establishing the existence or availability of any insurance coverage with The Hanover. By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.
LC NOV 2018 14-97
171-0940 (6/17)