Introduction
PCI Security Standards Council (PCI SSC) is a global standards body that develops and maintains security standards for payment card data protection. Founded in 2006 and headquartered in Wakefield, Massachusetts, it serves payment card ecosystems including merchants, PSPs, acquirers, processors, software vendors, and financial institutions worldwide. PCI SSC manages the PCI Data Security Standard (PCI DSS) and related frameworks used across the global card payments industry.
What is PCI SSC and what does it do
The PCI Security Standards Council is the industry body responsible for creating and maintaining security standards for organisations that store, process, or transmit payment card data. Its standards are used by card schemes, acquirers, payment service providers, merchants, and technology vendors to reduce fraud and secure card payment environments.
Mission and remit
PCI SSC develops technical and operational security standards for the global payment card ecosystem. Its remit includes defining baseline controls for cardholder data security, publishing implementation guidance, managing assessor and vendor qualification programmes, and coordinating industry feedback through working groups and advisory structures. The council itself does not regulate payment firms or directly enforce compliance; enforcement is carried out downstream through card schemes, acquiring banks, and contractual obligations within payment networks.
Core work domains
- Cardholder data security standards — Maintains PCI DSS and related frameworks governing payment card data protection.
- Payment application and software security — Defines requirements for payment software, secure application development, and software lifecycle management.
- Point-to-point encryption and tokenisation — Publishes standards for encryption, tokenisation, and secure payment data transmission.
- Hardware and device security — Oversees standards for payment terminals, PIN entry devices, and hardware security controls.
- Training and assessor qualification — Operates certification and qualification programmes for assessors, vendors, and security professionals.
Geographic scope and cross-border reach
PCI SSC operates globally and its standards are used across all major card-payment markets. Its frameworks apply through international card schemes including Visa, Mastercard, American Express, Discover, and JCB. PCI standards support cross-border interoperability because acquiring banks, processors, PSPs, and merchants in different jurisdictions are commonly subject to the same baseline security requirements under scheme rules and commercial agreements.
Why PCI SSC matters for payment operators
PCI SSC standards reach payment operators primarily through downstream contractual and network obligations rather than direct regulation. PSPs, acquirers, gateways, processors, ecommerce platforms, and merchants handling payment card data are commonly required by card schemes and acquiring banks to comply with PCI DSS or related standards. Non-compliance can lead to fines, remediation requirements, increased monitoring obligations, or restrictions imposed by schemes and acquiring partners.
Within a payment operator, PCI SSC standards most directly affect compliance, security, infrastructure, product, and legal teams. Security and engineering functions implement technical controls for data handling, segmentation, encryption, and monitoring. Compliance teams coordinate PCI assessments and reporting. Product and integration teams encounter PCI scope considerations when designing checkout flows, tokenisation models, hosted payment pages, or omnichannel payment architectures.
PCI SSC frameworks also shape vendor management and commercial relationships across the payments ecosystem. PSPs and merchants frequently require technology partners, processors, payment applications, or service providers to demonstrate PCI compliance as part of onboarding and procurement processes.
Who runs PCI SSC and how is it organised
PCI SSC is governed by the major global payment card schemes: American Express, Discover, JCB International, Mastercard, and Visa. The council is led operationally by an executive management team headed by an Executive Director and operates from its headquarters in Massachusetts, United States, with additional international engagement structures and regional participation programmes. Strategic direction is influenced by the founding payment brands, while technical input is gathered through industry boards, special interest groups, and participating organisations.
Membership composition
PCI SSC does not operate as a traditional trade association with voting corporate members. Instead, it uses a participation model that includes payment companies, merchants, vendors, assessors, financial institutions, and technology providers through advisory boards and contributor programmes.
| Category | Member institutions |
|---|---|
| Founding organisations | Visa, Mastercard, American Express, Discover, JCB |
| Participating organisations | PSPs, acquirers, processors, merchants, software vendors, device manufacturers |
| Qualified assessor ecosystem | QSA firms, ASV providers, security assessors, testing laboratories |
| Industry contributors | Financial institutions, fintech firms, ecommerce platforms, security vendors |
Working groups and decision rights
PCI SSC develops standards through internal technical teams, special interest groups, industry feedback programmes, and public comment periods. Participating organisations can contribute technical input and join working groups, but ultimate approval authority remains with the council and its founding payment brands. Standards development is largely consensus-driven within the technical process, though final publication authority is centrally controlled by PCI SSC governance structures.
What standards does PCI SSC publish and how do they get used
PCI SSC publishes security standards, implementation guidance, and validation frameworks used throughout the payment card ecosystem.
| Standard | Scope | Used by |
|---|---|---|
| PCI DSS | Security requirements for storing, processing, and transmitting cardholder data | Merchants, PSPs, acquirers, processors, gateways |
| PCI Secure Software Standard | Security requirements for payment software applications | Software vendors, payment application providers |
| PCI PIN Security | Protection of PIN data and cryptographic processes | Acquirers, ATM operators, payment processors |
| PCI P2PE | Point-to-point encryption requirements for payment environments | Merchants, PSPs, terminal providers |
| PCI Tokenization Guidelines | Frameworks for token-based payment data protection | PSPs, gateways, processors, ecommerce platforms |
| PCI 3DS Core Security Standards | Security requirements related to 3-D Secure environments | Issuers, acquirers, PSPs, ACS providers |
Adoption and downstream regulation
PCI SSC standards are generally enforced through contractual and scheme-rule mechanisms rather than statute. Card networks incorporate PCI requirements into operating regulations that acquiring banks and payment processors must follow. Acquirers then pass compliance obligations downstream to merchants and PSPs through commercial agreements.
In some jurisdictions, regulators reference PCI DSS indirectly within broader cybersecurity, operational resilience, or payment security expectations. PCI compliance is also frequently required in procurement processes, partner onboarding, cyber-insurance assessments, and enterprise risk frameworks.
Events and convenings
PCI SSC operates several long-running international community meetings and industry events, including the annual PCI Community Meetings held across North America, Europe, and Asia-Pacific regions. These events focus on standards updates, implementation guidance, assessor training, technical workshops, and ecosystem coordination.
How to engage with PCI SSC
Industry participants can engage with PCI SSC through participating organisation programmes, assessor qualification schemes, training and certification tracks, special interest groups, and public consultation processes. Membership and participation are paid and eligibility varies by programme type. PSPs, merchants, vendors, assessors, and payment technology providers can generally participate directly, though governance control remains with the founding payment card brands.
FAQ
Is PCI SSC a regulator?
No. PCI SSC is an industry standards body, not a financial regulator or government authority. Its standards are enforced through contractual obligations imposed by card schemes, acquirers, processors, and payment network participants rather than through statutory law or licensing powers.
Who founded PCI SSC?
PCI SSC was established in 2006 by American Express, Discover Financial Services, JCB International, Mastercard, and Visa. The council was created to provide a unified security standards framework for the global payment card industry instead of maintaining separate scheme-specific security programmes.
What standards does PCI SSC maintain?
PCI SSC maintains PCI DSS, PCI PIN Security, PCI P2PE, Secure Software standards, tokenisation guidance, and related validation and testing frameworks. These standards govern cardholder data protection, encryption, software security, payment applications, and hardware security across payment environments.
Can my company join PCI SSC?
Many organisations can participate in PCI SSC programmes, including PSPs, merchants, software vendors, processors, financial institutions, and security assessors. Participation usually happens through paid organisational programmes, assessor qualification tracks, training, special interest groups, or industry working groups rather than traditional voting membership.
How does PCI SSC enforce its standards?
PCI SSC itself does not directly enforce standards. Enforcement occurs downstream through card schemes, acquiring banks, processors, and contractual payment network obligations. Organisations may be required to validate compliance through audits, self-assessment questionnaires, vulnerability scans, or qualified assessor reviews.
Is PCI SSC the same as EMVCo?
No. PCI SSC and EMVCo are separate payment standards bodies with different mandates. PCI SSC focuses on payment card data security and operational security controls, while EMVCo develops technical specifications for chip payments, contactless acceptance, tokenisation, secure remote commerce, and payment interoperability.
Comments