The PCI-DSS (Payment Card Industry - Data Security Standard) is a single security standard comprised of the cardholder security programs from
the 5 major credit card companies. Any organizations that accept, process or store cardholder information must be PCI complaint, including
merchants and third-party providers*. This includes websites that accept payment cards.Severe penalties and sanctions can be levied against organizations that fail to be PCI compliant:
- Fines up to $500,000 per incident levied by their bank and the card companies
- Banned from allowing customers to use credit cards
- Fines up to $100,000 per incident for not notifying customers of the probable thefts of their information levied by state governments
As of September 2006, PCI DSS 1.1 includes 12 major requirements for compliance. Violating any of these requirements can trigger an overall non-compliant status.
* However, according to the PCI DSS documentation, "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply."
