Do Banks Need to be PCI CompliantPublished February 7, 2020 • 3 min read
Banks that issue Visa, Mastercard, American Express, and Discover cards are obligated to comply with the Payment Card Industry Data Security Standard (PCS DSS).
All parties that handle credit card data from one of the four major U.S. credit card brands, Visa, Mastercard, Discover, and American Express, as well as JCB International, an international payment brand based in Japan, are required to comply with PCI DSS requirements. The PCI DSS is maintained by the PCI Security Standards Council.
PCI DSS is a set of information security standards put in place to ensure that organizations that accept, process, store, or transmit payment card information maintain secure environments to protect consumers and merchants. Put simply, the PCI DSS standards apply to any organization that holds, processes, or passes cardholder information from any card branded with the logo of any of the card brands.
Even if an organization processes just four credit card transactions a month, it must be PCI compliant. And a company that uses a third-party payment processor must still comply with PCI standards. Also, if an organization doesn’t store credit card data but cardholder data passes through its server, it is also required to comply with PCI requirements.
The PCI DSS offers information to financial institutions and other organizations about how to prevent and detect fraud and data loss and how they should react in the event of data breaches.
The five-card brands, which include PCI standards as technical and operational requirements of their data security compliance programs and security policies and procedures, enforce PCI compliance on the companies involved in card transactions.
However, PCI DSS compliance is not a legal requirement but a form of self-regulation. The organizations that process card payments must contractually agree with the payment card brands to comply with PCI requirements.
PCI DSS compliance is required by the contracts that govern participation in payment card systems. Financial institutions, including issuing banks and acquiring banks, as well as merchants and service providers that process transactions, enter into contracts with the five-card brands that enable them to process cardholder data.
Issuing banks are banks that offer credit cards to consumers. Acquiring banks are the financial institutions that hold merchants’ bank accounts, receive payments through the card processors, and deposit funds on behalf of the merchants.
Visa, Mastercard, Discover, and American Express originally developed the PCI DSS in 2004 to reduce debit and credit card fraud and data loss.
In 2006, American Express, Mastercard, Visa, JCB, and Discover founded the Payment Card Industry Security Standard Council (PCI SSC) to develop and manage security in the payment card industry. The PCI SSC maintains, advances, and promotes the PCI DSS (data security standards).
The PCI SSC also provides the tools that organizations need to implement the PCI standards, including PCI self-assessment questionnaires (PCI SAQ), training and education, assessment and scanning qualifications, and product certification programs.
PCI Assessments result in either a Report of Compliance (RoC), Attestation of Compliance (AoC), or both. The RoC and/or AoC are provided to the merchant’s credit card acquirer annually to prove their compliance with PCI requirements. As with the assessment methods, the proof of compliance method is determined by the merchant level and the requirements of the specific card brand. Higher-level merchants may also be required to provide quarterly network vulnerability scans performed by an Approved Scanning Vendor (ASV).
A PCI Self-Assessment Questionnaire (SAQ) is used by lower-level merchants (with fewer transactions) to perform a self-assessment of their compliance. There are multiple SAQs available, with the specific SAQ being used determined by how customers perform credit card transactions (i.e., card not present vs. card present, fully outsourced authorizations vs. partially outsourced authorizations).