PCI is an independent, self-funded organization, and creates and manages security standards for credit card payments.
The Payment Card Industry (PCI) is formed by the card schemes but not funded or operated by them, and standards must still pass through an executive committee of PCI brands.
Who needs PCI compliance?
All companies that process, store or transmit credit card information need to comply with the PCI SSC’s regulations. This includes merchants, service providers with regards to storing data, to terminal vendors that develop PIN devices which need to maintain a certain level of PCI security.
What can UL do for me?
UL is accredited to perform all approval programs:
- PCI DSS (PCI Data Security Standard) covers the protection of cardholder data in operational environment – everywhere!
- PTS (PIN Transaction Security) point-of-interaction devices and HSM. It applies to both PIN and non-PIN devices with cryptographic processes to protect the PIN and other sensitive data. SRED is for cardholder data.
- PA-DSS (Payment Application Data Security Standard) covers commercial software, specifically “payment applications” to support PCI DSS compliance
- PIN Security standard covers secure key management, and processing of PIN data for both online and offline payment card transaction processing
- P2PE (Point-to-Point) approval of solutions that use encryption to protect cardholder data. Allows merchants to reduce their PCI DSS validation scope
- ASV (Approved Scanning Vendor) low-cost remote scanning of Internet-facing IP addresses to report on known vulnerabilities. Merchants pass ASV scans quarterly to pass PCI DSS
- PCI Card Production standard covers security around card production activities including card manufacturing, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization
- PCI Documentation — Hosted by the PCI SSC
- PCI Approved Devices — Hosted by the PCI SSC
- Derived Test Requirements (Registration with PCI Required) — Hosted by the PCI SSC
- List of PCI Approved Scanning Vendors
- Information on becoming and ASV
- ASV Training
*UL offers links to these webpages and documents because we believe they may have value and relevance for consumers, manufacturers and others who share our interest in public safety. UL has no role in the development or maintenance of these webpages and documents. UL is not responsible for the content, accuracy, opinions expressed or other links provided by these resources.