Guides

All about PCI compliance

What is PCI compliance?

What are examples of the kinds of cardholder data that are deemed sensitive?

Do companies that issue cards need to be compliant?

Are corporate cards subject to PCI compliance?

What are common use cases that require card program providers to be PCI compliant?

How can card program providers ease their PCI compliance burden?

Do card program providers need to validate that they are compliant?

The list of companies making headlines due to data breaches seems to grow year after year. In 2019 alone, the number of customer records exposed increased 284%,[1] putting millions of consumers at risk. As an organization that could handle cardholder data, complying with PCI security standards is necessary to reduce your risk of exposure. These standards continue to evolve, and it’s important to understand how your company may be impacted.

What is PCI compliance?

In 2006, the card networks formed the Payment Card Industry Security Standard Council (PCI SSC) and created the PCI Data Security Standards (PCI DSS) to protect consumers and their sensitive data. Companies that store, transmit, or process sensitive card data must comply with PCI DSS. These standards include requirements for organizations to securely accept, store, process, and transmit cardholder data to prevent fraud and data breaches.

What are examples of the kinds of cardholder data that are deemed sensitive?

All entities that store, process, and transmit cardholder data (CHD) and/or sensitive authentication data (SAD) are in scope for PCI.

Cardholder data (CHD) is any personally identifiable data associated with a cardholder and includes:

  • Primary account number (PAN), a defining factor for CHD
  • Cardholder name
  • Expiration date
  • Service code

Sensitive authentication data (SAD) is any data used to authenticate the cardholder and includes:

  • Full track data
  • CAV2/CVC2/CVV2/CID
  • PINs/PIN blocks

Do companies that issue cards need to be compliant?

It’s often thought that only organizations that accept payments (e.g., acquirers and merchants) are required to be compliant with PCI DSS and that card issuers are exempt. This was due to confusion around the PCI requirement which stated that entities should not store SAD after authorization. For card issuers, however, storing SAD is necessary to authorize certain transactions. The PCI SSC has since clarified that companies that “perform, facilitate or support payment card issuing services are allowed to store sensitive authentication data if there is a legitimate business need to store such data” (PCI Data Security Standard, Requirement 3.2) and that all other PCI DSS requirements still apply.

Are corporate cards subject to PCI compliance?

For entities using corporate cards, PCI SSC has stated that “whether entities with cardholder data on their own corporate cards need to validate compliance is determined by each payment brand individually.” So while the card network brands may vary in their guidance to entities that use corporate cards, PCI compliance still states that any organization handling sensitive card information is subject to PCI DSS. If you are an issuer of corporate cards, it’s best to confirm the details of your specific card program to understand your PCI requirements.

What are common use cases that require card program providers to be PCI compliant?

The specifics around PCI DSS requirements vary and are dependent upon the way card data is being handled. Some common use cases for card program providers that require PCI compliance are:

  • Displaying sensitive card data in your web and mobile applications
  • Enabling cardholders to securely activate their cards and set their PINs in your web and mobile applications
  • Adding a payment card for disbursement options

These are common use cases, but this list is not exhaustive. You may have additional responsibilities regarding data security for other elements of your end-user experience.

How can card program providers ease their PCI compliance burden?

Card program providers can work with their issuer processor to help offload the burden of PCI compliance. Marqeta provides a JavaScript library that enables you to securely embed and display sensitive card data in your application or web page using an iframe for certain user actions. The sensitive card data will not be handled on your servers. Instead, Marqeta hosts the data on secure, PCI-compliant servers and encrypts it for transmission.

Do card program providers need to validate that they are compliant?

If programs use Marqeta’s PCI-compliant widgets, program providers do not need to validate their compliance with their network for the specific use cases the widgets cover. However, you may have other components of your end-user experience that handle PCI-sensitive data and may require PCI compliance validation.

Want to learn more? Read about Marqeta’s PCI compliance solutions
Want to discuss your use case? Talk to a Marqeta sales expert.
Ready to integrate? View Marqeta’s PCI documentation

[1] 2019 Year End Data Breach Report, Risk Based Security

What is PCI compliance?

What are examples of the kinds of cardholder data that are deemed sensitive?

Do companies that issue cards need to be compliant?

Are corporate cards subject to PCI compliance?

What are common use cases that require card program providers to be PCI compliant?

How can card program providers ease their PCI compliance burden?

Do card program providers need to validate that they are compliant?

Launch your next payment innovation

Let’s talk and see how we can help.

Launch your next payment innovation

Let’s talk and see how we can help.