The Payment Card Industry Data Security Standard (PCI DSS) defines personally identifiable information (PII) that must be protected. Cardholder data (CD) must be stored, transmitted, and processed on security systems in a secure environment to protect from data breaches. Credit card information that must be protected as part of PCI DSS compliance includes primary account number in conjunction with cardholder name, credit card expiration date, or its service code.

PCI compliance requires a merchant who accepts credit card data to establish an information security policy that ensure card data is stored on a secure network that is separate from public networks. Non-compliance with PCI Data Security Standard comes with fines and other penalties, such as not being allowed to accept payments.

To be PCI DSS compliant, the merchant must complete a self-assessment questionnaire (SAQ) to determine what information it collects and where it stores, transmits, and processes the data. Next, the company creates a series of security parameters that establish access control measures such as security systems limiting physical access, firewall configurations, strong system passwords, anti-virus software, and a vulnerability management program. The PCI compliant company uses these controls to secure systems but must also consider the potential for a security breach during the transmission of data. As such, many merchants choose to transfer risk to a service provider.