Skip to content
Piiano Learning Center

Payment Card Industry (PCI)

PCI stands for “Payment Card Industry”, which is part of the Payment Card Industry Data Security Standard (PCI DSS): a standard that defines a baseline for securely handling payment card data.

PCI DSS outlines 12 high-level requirements and detailed security measures that apply to companies storing, using, transmitting, or otherwise impacting the security of cardholder data. It also applies, to a lesser extent, to companies outsourcing these activities to third parties.

PCI is also sometimes interpreted as “payment card information” for convenience when comparing PCI data with personally identifiable information (PII) and protected health information (PHI). Although fairly widespread, this interpretation is not formally accurate because the PCI DSS standard does not define “payment card information” as an official term that could be abbreviated to “PCI”.

Instead, PCI DSS defines cardholder data and sensitive authentication data, collectively referred to as “account data”.

Types of PCI account data

Cardholder data (CHD) includes:

  • Primary Account Number (PAN): a unique payment card number that identifies the issuer and the cardholder account.
  • Cardholder name.
  • Card expiration date.
  • Service code: a code that the card issuer sets to define how the card should be used.

Sensitive authentication data (SAD) is information used to authenticate cardholders and authorize payment card transactions, and it can’t be stored after payment authorization. It includes:

  • Full track data: data encoded in a card’s magnetic stripe or chip.
  • Card verification code (CVC): a three- or four-digit number printed on a card to verify transactions that don’t involve physically validating a card, such as online transactions.
  • PINs or PIN blocks that are used for in-store purchases and ATM withdrawals.

PCI compliance and scope minimization

If your company stores, processes, or transmits these types of data, it must handle them securely and in strict compliance with PCI DSS requirements.

Even if your company does not directly store, process, or transmit account data but instead outsources these activities to a third-party payment provider, it still needs to comply with PCI DSS, albeit to a much lesser extent. For example, in this case you’re not required to complete an independent audit and get a PCI report on compliance (RoC), but you still need to submit a self-assessment questionnaire (SAQ) to validate your compliance with PCI DSS. Your questionnaire in this case is going to be relatively straightforward, addressing only about 10% of the full set of PCI rules.

Regardless, PCI DSS Requirement 12, which relates to the management of service providers, remains applicable to your company, along with parts of other requirements. However, outsourcing can significantly reduce your PCI DSS compliance burden — a strategy known as “minimizing the PCI DSS scope”.