Founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa, Inc., the Payment Card Industry (PCI) Security Standards Council (SSC) incorporates the PCI Data Security Standard (DSS) to set technical and operations requirements to protect cardholder data. It applies to all entities that store, process, or transmit cardholder data. PCI DSS 3.2.1, released on May 2018, marks the latest version.
The PCI DSS deals with payment card data and cardholder information, including primary account numbers (PAN), credit/debit card numbers, and sensitive authentication data (SAD) such as CVVs. Each payment card company, however, has its own program for compliance, validation levels, and enforcement.
Though the PCI DSS is not the law, it applies to merchants in at least two ways: (1) as part of a contractual relationship between a merchant and card company, and (2) states may write portions of the PCI DSS into state law.
The PCI DSS consists of twelve requirements.