The list of companies making headlines due to data breaches seems to grow year after year. In 2019 alone, the number of customer records exposed increased 284%, putting millions of consumers at risk. As an organization that could handle cardholder data, complying with PCI security standards is necessary to reduce your risk of exposure. These standards continue to evolve, and it’s important to understand how your company may be impacted.
What is PCI compliance?
In 2006, the card networks formed the Payment Card Industry Security Standard Council (PCI SSC) and created the PCI Data Security Standards (PCI DSS) to protect consumers and their sensitive data. Companies that store, transmit, or process sensitive card data must comply with PCI DSS. These standards include requirements for organizations to securely accept, store, process, and transmit cardholder data to prevent fraud and data breaches.
What are examples of the kinds of cardholder data that are deemed sensitive?
All entities that store, process, and transmit cardholder data (CHD) and/or sensitive authentication data (SAD) are in scope for PCI.
Cardholder data (CHD) is any personally identifiable data associated with a cardholder and includes:
- Primary account number (PAN), a defining factor for CHD
- Cardholder name
- Expiration date
- Service code
Sensitive authentication data (SAD) is any data used to authenticate the cardholder and includes:
Do companies that issue cards need to be compliant?
It’s often thought that only organizations that accept payments (e.g., acquirers and merchants) are required to be compliant with PCI DSS and that card issuers are exempt. This was due to confusion around the PCI requirement which stated that entities should not store SAD after authorization. For card issuers, however, storing SAD is necessary to authorize certain transactions. The PCI SSC has since clarified that companies that “perform, facilitate or support payment card issuing services are allowed to store sensitive authentication data if there is a legitimate business need to store such data” (PCI Data Security Standard, Requirement 3.2) and that all other PCI DSS requirements still apply.
Are corporate cards subject to PCI compliance?
For entities using corporate cards, PCI SSC has stated that “whether entities with cardholder data on their own corporate cards need to validate compliance is determined by each payment brand individually.” So while the card network brands may vary in their guidance to entities that use corporate cards, PCI compliance still states that any organization handling sensitive card information is subject to PCI DSS. If you are an issuer of corporate cards, it’s best to confirm the details of your specific card program to understand your PCI requirements.
What are common use cases that require card program providers to be PCI compliant?
The specifics around PCI DSS requirements vary and are dependent upon the way card data is being handled. Some common use cases for card program providers that require PCI compliance are:
- Displaying sensitive card data in your web and mobile applications
- Enabling cardholders to securely activate their cards and set their PINs in your web and mobile applications
- Adding a payment card for disbursement options
How can card program providers ease their PCI compliance burden?
Do card program providers need to validate that they are compliant?
If programs use Marqeta’s PCI-compliant widgets, program providers do not need to validate their compliance with their network for the specific use cases the widgets cover. However, you may have other components of your end-user experience that handle PCI-sensitive data and may require PCI compliance validation.