Skip to Main Content
Main Menu

PCI Security Standards Council (PCI SSC)

The Payment Card Industry (PCI) Security Standards Council (SSC) is an international organization who collaborates with payment industry professionals and stakeholders to curate payment data security resources and industry best practices. The PCI SSC develops Data Security Standards (PCI DDS), which provides the latest technical requirements needed to design secure data payment applications.

Are you subject to PCI SSC?

Any entities or merchants who store, process or transmit cardholder data, sensitive authentication data, and/or payment transactions must comply with relevant PCI Standards. Software developers and manufacturers who develop payment applications and devices are also subjected to relevant standards.

Key obligations of the PCI DSS V4.0

Minimal storage of account data

Organizations must develop a data retention policy specifying that only minimal cardholder data must be kept (e.g. a holder’s primary account number (PAN) and card expiration date), and identify locations to retain the data to reduce risk of data compromise.

Implementation of audit logs

Organizations must apply audit log mechanisms on all system components and cardholder data in order to continuously detect for and quickly alert system administrators of suspicious activities within the network and/or unauthorized changes to cardholder accounts. Audit logs should also monitor alterations to administrative access privilege to identify risks of an individual shutting off the audit log system.

Configuration of network security controls

Organizations must establish an internal configuration policy outlining what is permitted and/or not permitted within the database and network to manage network traffic between and from cardholder data environments (CDE).

Do not store sensitive authentication data after authorization

Regardless whether sensitive authentication data (e.g. PINs, card verification codes) has been encrypted for an organization, it shall not be retained upon completion following an authorized process. However, if sensitive authentication data must be stored prior to the completion of an authorization, it must be encrypted with strong cryptography, and with a different cryptographic key than the key used to encrypt a PAN.

Implementation and testing of security systems

Organizations must develop and keep up-to-date security policies and technical mechanisms to ensure the entire system network is secure, and regularly test rigor of the security mechanisms to effectively respond to abnormal activities.


Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance


  • How do I apply the PCI DSS into my business operations?

    The PCI SSC is not responsible for enforcing compliance; the responsibility falls on payment brands and banks. Payment brands must establish internal policies guiding cardholder and payment security practices, and these practices shall be adopted by acquiring banks who must also develop their own approach that their customers must adhere to in compliance with the PCI Standards.

  • Do I notify the PCI SSC in the event of a cardholder data incident?

    The PCI SSC does not participate in forensic investigations. However, PCI Forensic Investigators can collaborate with entities to aid in the aftermath of such incidents. PCI Forensic Investigators are qualified by the PCI SSC.

  • Does the PCI DSS apply to bank account data?

    Bank account data (e.g. branch identification numbers, bank account numbers, routing numbers) are not payment card data, and the PCI DSS does not apply to such data. However, if a bank account number is also a PAN or contains a PAN, then the PCI DSS applies. However, in the event the PCI SSC does not apply to a certain account number containing elements of PAN, it is strongly recommended that the account number be protected to avoid unauthorized persons from recovering the full PAN from an account number.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top