Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard, more commonly known as PCI DSS helps all organisations that

process payment card data to mitigate or reduce the risk of card fraud by establishing and implementing a protective

information security framework.


Any organisation that manages payment card data, whether a merchant or a third-party processor, must be able to demonstrate compliance with PCI DSS. Further, any organisation that outsources the management of such data must also comply. In short, if an organisation is directly or indirectly processing, storing, or transmitting payment card data, it must be able to demonstrate compliance with this standard.

Although a standard rather than a law, compliance is viewed as mandatory between merchants at the contractual level, and to assure all interested parties that in-situ preventative measures are fit for purpose, and to ensure the resilience of all financial data assets. Failure to protect such assets can result in fines being applied at a local level, or for more serious breaches, i.e., those outlined by the General Data Protection Regulations (GDPR), a penalty of up to €20,000,000 or 4% of annual turnover of the preceding financial year, whichever is higher, may be enforced by the territorial governing body, which in the UK is the Information Commissioner’s Office, more commonly known as the ICO.