Data security—and information technology as a field—is rife with acronyms, abbreviations, and confusing technical jargon. For the uninitiated, this can make searching for security solutions seem like trying to learn a new language. To assist with this daunting task, we’re going to take a look at a popular acronym that’s prevalent in the payments space: PCI.
So, what is PCI? In the world of payments, the acronym PCI is often used to refer to the Payment Card Industry Security Standards Council (PCI SSC) or its industry regulation, the Payment Card Industry Data Security Standard (PCI DSS).
It also serves as shorthand for payment card information in general—which includes cardholder data (CHD) such as primary account numbers (PANs), card verification values (CVV), and more. This information is subject to the regulatory compliance obligations governed by the PCI SSC and outlined in the PCI DSS, further clouding the distinction between them.
In this blog, we’ll provide context for these varying definitions and share explanations for how they apply to organizations that store, process, or transmit CHD. To begin, let’s examine the recent history of the payment card industry to form a basic understanding of the background and reasoning behind these influential security standards.
History of PCI
The PCI SSC was founded in 2006 by the five major card brands: American Express, Discover, JCB International, MasterCard, and Visa Inc. The card brands came together to build an industry-wide standard for data protection to address the alarming number of data breaches—and subsequent payment fraud—plaguing the payment card industry. The result was the creation of the PCI DSS, which established requirements for handling sensitive payment data.
The reason this regulation is so influential is because any organization that wishes to use or process cards distributed by these brands must adhere to the PCI DSS’s compliance obligations. As a result, the PCI SSC and PCI DSS have become the primary regulatory body and corresponding regulation for protecting payment data.
In this context, you will often encounter PCI being used in combination with the following terms: controls, compliance, scope, and descoping/scope reduction. These refer to the requirements of the PCI DSS, whether they’re being met, the internal systems to which they’re subject, and the process of minimizing the number of controls applied to an organization’s environment. They are important because they help to explain how the PCI DSS applies to businesses that need to become compliant.
What is PCI Compliance?
Compliance is the process or condition of meeting the demands of the PCI DSS. The PCI DSS consists of six overall categories that are broken down into 12 requirements. These dozen requirements are composed of more than 300 controls that cover everything from approved types of encryption keys, to measures for writing adequate internal information security policies.
Who is PCI Compliant?
Organizations that adhere to these requirements are considered to be compliant. How this is determined depends on several variables, including the number of card transactions a given organization processes per year, the type of environment an organization possesses, and which acceptance channels are being used.
Ultimately, organizations rely on annual assessments—either an audit from an external quality security assessor or an internal self-assessment (for SAQ-eligible companies)—to evaluate their compliance standing, although they are expected to remain compliant between assessments as well.
Again, if your organization stores, processes, or transmits cardholder data from the five major card brands, then the people, processes, and technology within your company that interact with that data must adhere to the relevant requirements of the PCI DSS.
What is PCI Scope?
Scope refers to the portion of an organization’s internal systems, or cardholder data environment (CDE), that interacts with card information. Additionally, any systems or individuals that are connected to the CDE or could potentially affect its security are considered to be within the scope of PCI compliance. These areas are subject to the PCI DSS and its more than 300 security controls.
However, the fewer systems an organization has in scope, the fewer compliance obligations it has as a result. This typically means an easier, more affordable path to becoming compliant— which is why PCI descoping is seen as such a valuable practice.
Descoping, or reducing scope, is the process of identifying where card data exists in an environment and determining how to remove or desensitize that data to avoid subjecting those areas to the PCI DSS. This can be done in myriad ways, including using obfuscation or simply storing CHD outside of an organization’s internal systems. Once more, the idea is to simplify compliance by minimizing the number of controls an organization is responsible for following and reducing the number of systems in scope.
Payment Card Information
Now that we’ve covered what PCI means in regard to the PCI SSC and PCI DSS, the next question is: what is PCI more broadly? As referenced earlier, PCI is sometimes used as shorthand for payment card information, which typically means a credit card primary account number (PAN). But, this can also apply to all cardholder data such as card verification values, expiration dates, cardholder names, billing addresses, and more.
This ambiguity can lead to some confusion when trying to distinguish between payment information in general and the Payment Card Industry specifically. Because of this, we prefer the term cardholder data (CHD) to refer to general credit card information and PAN when talking about a credit card number. Despite our preference, don’t be surprised to see other entities within the payments industry refer to all credit card information as PCI or PCI data.
Other Data Types
PCI is also often used alongside acronyms or abbreviations for other types of sensitive data, such as PII or PHI. PCI differs from other data types in that it is exclusively payment-related information. Other sensitive data that might be included, such as a cardholder name and billing address, is considered personal data, unless that data is present alongside a PAN—in which case it would still be considered PCI. Personal data encompasses a vast swath of information and can be referred to as sensitive personal information (SPI), personally identifiable information (PII), personally identifiable financial information (PIFI), personal health information (PHI), nonpublic personal information (NPI), and more.
There is some overlap between these designations—meaning a particular set of data could qualify as multiple types—but they ultimately depend on the regulation being considered and how that particular statute defines the data it is protecting. Typically they will be referred to as payments/privacy data or PCI/PII.
What is PCI: Security and Scope Reduction via Tokenization
Originally founded in 2009 as a way to reduce the compliance scope of those subject to the PCI DSS, TokenEx is a Cloud Security Platform that specializes in cloud-based tokenization. Our security technology captures and tokenizes sensitive data before it enters your environment and then safely stores it in ours to maximize scope reduction and virtually eliminate the risk of data theft.
For more information about PCI and other data types, check out our Compliance and Solutions ebook. To learn about tokenization and how TokenEx can help you to secure any sensitive data set and achieve compliance, contact us directly at email@example.com.