Payment Card Industry Data Security Standard is the collective result of the 5 corporate brands including VISA, MasterCard, American Express, Discover and Japan Credit Bureau. It was founded in 2004 as a result of the combining of each company’s security programs. The goal of the Payment Card Industry Security Standards Council is to add protection to card holder data that is stored, processed and/or transmitted within a merchant’s software, networks, and personnel.
Visa’s program, Card Information Security Program or CISP was mandated by Visa in 2001. The program now centers around PCI DSS Compliance and compliance validation based on their own set of criteria. Members include financial institutions, merchants and service providers participating in the Visa payment system. Fines are levied against members who are found to be non-compliant at the time of data breach. Wording on the website vaguely implies that that Visa may waive the fines if they are compliant at the time of breech but also further stipulates that members can prevent fines by staying compliant at all times.
The MasterCard SDP Program (Site Data Protection) was announced in 2001 with the goal of helping acquiring banks and merchants with their online systems. SDP was a service offered by MasterCard rather than referring other companies to supply the service. Currently the program focuses on PCI DSS Compliance. Acquiring banks verify PCI Compliance with each merchant depending on their level.
American Express Data Security Operating Policy was first implemented in 2002. American Express supports PCI DSS Compliance as a measure of minimum security. Note that upon perusing documenation, American Express indicates that a Level 4 merchant with another card logo acquirer may have a different level with American Express. Each company payment solution is separate from every other payment card.
The Discover Information Security & Compliance (DISC) program was developed prior to PCI Security Standards Council of which Discover is a founding member. The program designates Discover’s roles and responsibilities in regards to PCI DSS Compliance. Again, the company determines which members must be PCI compliant, determines validation and reporting requirements, enforces compliance and responds to data compromises. This sums up what each company is doing in regards to PCI DSS Compliance.
The JCB Data Security Program was started at the JCB International, a company based in Asian countries. The documentation on their website is slight. It focuses on “recommending” that a company use their program and become PCI DSS Compliant. The wording might be reflective of a different culture from European and American cultures but the intent is the same. They develop requirements for compliance with the PCI DSS. And again. the acquiring banks where merchant accounts are established are in charge of enforcing the requirements on the merchants.
These 5 major card brands started the PCI Security Standards Council which develops the standards of card holder data security. While the standards council develops the standards to which they all agree, each company has somewhat different requirements for compliance to the standards. Levels 1-4 merchants are defined somewhat differently by each company and require careful review. If a merchant accepts more than one brand, each brand’s compliancy requirements must be met to continue accepting that brand of credit card.
