White Paper

Payment Card Industry compliance for financial institutions

Jul 31, 2020

The payment card industry’s Security Standards Council was launched in 2006 by the five global payment brands—Visa, Mastercard Worldwide, American Express, Discover Financial Services and JCB International—who assumed the responsibility on behalf of the industry for the development, management, education and awareness of the PCI Data Security Standard for payment cards.

While the initial focus of the PCI DSS was merchants and service providers, any organization that processes, stores or transmits cardholder data, including financial institutions, is required to comply with the guidelines.

Financial institutions often experience difficulty understanding if they must comply with the PCI DSS. Furthermore, if compliance is indeed required, they may not understand which of the 12 requirements for protecting account data are applicable. Noncompliance with applicable PCI requirements could result in significant financial penalties, the potential for customer accounts to be compromised and reputational damage to the institution.

This document has been developed to help institutions better understand the PCI compliance issues facing the industry and which standards should be followed in certain situations. It provides helpful insights into several key questions, including:

  • Does the PCI DSS even apply to financial institutions?
  • What are some examples of how the PCI DSS affects financial institutions?
  • Are financial institutions that outsource credit and debit card issuance and processing still required to comply with the PCI DSS?
  • Does PAN encryption and PA DSS certification negate the need to demonstrate PCI compliance?
  • Do commercial financial institutions that do not issue credit or debit cards have to comply with the PCI DSS?

Penalties vary on a case-by-case basis, but more importantly, any compliance concerns place your customer assets and reputation at risk. It is imperative for banks to understand the correct level of compliance necessary and implement systems and controls in order to sufficiently achieve it.