Visa USA created the Cardholder Information Security Program (CISP) in mid-2001. The standard became a requirement for Visa member banks. The CISP program was intended to ensure high levels of information security for Visa cardholder data. The security standard applies to all Visa member banks, merchants accepting Visa cards, and all service providers processing Visa cardholder transactions. In 2004, the data security standards were cosponsored by Visa and MasterCard into an industry standard now known as the Payment Card Industry Data Security Standard. Other card issuers have adopted the standard and incorporated it into their own programs. In addition, an international version of the VISA CISP program called the Visa Account Information Security (AIS) applies to non-U.S.-based entities.
The PCI standard is not a law per se, but it is a mandatory compliance requirement for participants in the card payment-processing industry. Generally speaking, any entity, system, or component that handles Visa cardholder information anywhere in the value chain is subject to the standard if they wish to remain a participant in the Visa payment-processing system.
Participants in the Visa payment-processing system not only must adopt PCI but also must validate compliance with the standard. Specific standards apply to various sections of the payment-processing environment. Specific compliance standards and auditing requirements are published for member banks, merchants, and service providers. The auditing standards and compliance requirements are very specific and scaled to fit the relative risks represented by the various classifications.
In order to facilitate the program, Visa and other card issuers have published lists of organizations authorized to conduct validation inspections (audits), as well as conduct incident-response investigations. The publication of the auditing standards, approved service providers, and the various approved auditing organizations has served to raise the bar significantly on information security in the payment-processing industry.
Conformance to the PCI data security standard represented by PCI has become a "cost of doing business." In order to participate in the card payment-processing industry, conformance is not negotiable. The only enforcement necessary to ensure adoption of the standard is exclusion from participation in the industry. Visa, MasterCard, and other card issuers have "decertified" service providers for nonconformance with the standard. The most notable of these events have occurred after disclosure of security breaches resulting in loss of cardholder private data.
From a data security standpoint, the PCI standard represents commonly accepted data security standards and practices. There is nothing extraordinary in the standard. It is a set of standard best practices already well accepted in the IT security field. While the PCI standard represents basic security practices, the imposition of the PCI standard on the card payment-processing industry has had a dramatic impact on the technical infrastructure of the industry.
PCI has changed the focus of every software developer of card payment-processing software in any form to shift from adding feature functionality and reducing cost to restructuring their software to accommodate the standard. The impact has been felt across the spectrum of commercial software and system providers to individual retailers who develop and maintain their own systems. Similar to the general impact of SOX, the PCI standard has added vocabulary regarding standards, controls, and audits to an entire industry from smallest to largest and across the spectrum of industries.
A specialized cottage industry has arisen from the introduction of the standard around evaluating conformance to the PCI standard, testing for conformance, and training companies on how to assess and comply with the standard. While the standard does not represent cutting-edge security technology, the introduction and enforced compliance with the standard changed the entire card payment-processing industry in less than 4 years.