What is PCI?
In the world of payments, the abbreviation PCI is often used to refer to the Payment Card Industry Security Standards Council (PCI SSC) or its industry regulation, the Payment Card Industry Data Security Standard (PCI DSS). However, PCI is not limited to these definitions. It is used in a variety of contexts that unfortunately require some explanation in order to avoid confusion.
The PCI SSC was founded in 2006 by five major card brands—American Express, Discover, JCB International, MasterCard, and Visa Inc.—which created the PCI DSS to establish requirements for handling sensitive payment data. The reason this regulation is so influential is because any organization that wishes to use or process cards distributed by these brands must adhere to its compliance obligations. As a result, the PCI SSC and PCI DSS have become the primary regulatory body and regulation for protecting payment data. In this context, you will often encounter PCI being used in combination with the terms controls, compliance, scope, and descoping/scope reduction.
Controls refer to the requirements included in the PCI DSS, which must be followed for an organization to be PCI-compliant. These controls consist of 12 overall demands, with each functioning as a general stipulation to be satisfied by adhering to several more specific, related controls.
Scope refers to the portion of an organization’s internal systems, or cardholder data environment (CDE), that interacts with card information. These areas are subject to the PCI DSS and its controls mentioned above. The smaller an organization’s scope, the fewer compliance obligations they have, which generally means an easier path to becoming compliant.
Descoping, or reducing scope, is the process of identifying where card data exists in an environment and determining how to remove or desensitize that data so as to avoid subjecting those areas to the PCI DSS. Again, the idea is to simplify compliance by minimizing the number of controls an organization is responsible for meeting and reducing the number of systems in scope.
Payment Card Information
More broadly, however, PCI is sometimes used as shorthand for payment card information, which typically means a credit card primary account number (PAN) but can also refer to card verification values (CVVs) and other card data. This ambiguity can lead to some confusion when trying to distinguish between payment information in general and the Payment Card Industry specifically. Because of this, we prefer the term cardholder data (CHD) to refer to general credit card information and PAN when talking about a credit card number.
Other Data Types
PCI is also often used alongside abbreviations of other types of sensitive data, such as PII or PHI. PCI differs from other data types in that it is exclusively payment-related information. Other sensitive data that might be included among billing information, such as a name and address, is considered personal data. This data type encompasses a vast swath of information and can be referred to as sensitive personal information (SPI), personally identifiable information (PII), personal health information (PHI), nonpublic information (NPI), etc. There is some overlap between these designations, but they ultimately depend on the regulation being considered and how that particular statute defines the data it is protecting.
For more information about PCI and other data types, check out our Compliance and Solutions ebook. To learn about tokenization and how TokenEx can help you to secure any sensitive data set and achieve compliance, contact us at www.tokenex.com or email us directly at firstname.lastname@example.org.