Skip to content

PCI SSC

Card payments are subject to security requirements that are established and managed by the Payment Card Industry Security Standards Council (PCI SSC).

What does PCI SSC do?

PCI SSC develops and maintains international security standards to protect payment card data. It does this in collaboration with international card schemes (such as Visa, Mastercard, American Express, and Union Pay) and payment chip manufacturers.

  • The Dutch Payments Association is affiliated with PCI SSC as an Affiliate Member.
  • Each standard has a lifecycle for periodic revisions, market consultations, and the publication of new versions.
  • PCI accredits inspectors and security experts who assess whether products, transaction processors, acquirers, and merchants comply with the standards.
  • The use of standards is enforced by the card schemes, not by PCI SSC itself.
  • PCI SSC organizes annual community meetings for sharing knowledge and experiences (in the US, EU, and Asia).

Key PCI standards

PCI DSS – Data Security Standard

Standard for securing payment card and transaction data.

  • Relevant parties: primarily acquirers, transaction processors, and merchants.
  • Consists of 12 security requirements for systems, networks, and processes.
  • The form of assessment depends on the number of e-commerce transactions (from annual audit to self-assessment).
  • Dutch point-of-sale merchants without e-commerce are exempt.

PCI PTS – PIN Transaction Security

Standard for securing payment terminals (hardware and software).

  • Aimed at securing PIN entry and processing on terminals.
  • Recognized independent experts test the terminals; PCI SSC issues certificates.
  • Certificates have an expiration date for the sale of each type of terminal; the card schemes determine when terminals must be taken out of service.

PCI PIN

Requirements for the secure transmission and processing of PIN codes throughout the payments infrastructure.

  • Particularly relevant for transaction processors.
  • Closely related to the PCI PTS standards.

PCI MPOC – Mobile Payments on COTS

Standard for card acceptance on smartphones (COTS: commercial off-the-shelf).

  • Requirements for apps that process card data or PIN codes on an open mobile device.
  • Requires continuous monitoring of device security and real-time risk mitigation.

Relevance

  • The standards are primarily relevant for transaction processors, payment service providers, and hardware and software suppliers.
  • Exception: PCI DSS also applies to merchants who process e-commerce payments.
  • An acquirer must report to card schemes whether its merchants comply with PCI DSS.
  • Under certain conditions (e.g., no previous data breaches, use of tokenized transactions), a merchant may be exempt from inspections.

PCI perspective

Secure card payments are essential for confidence in payments. PCI SSC plays a central role in this with clear security standards for all links in the payments infrastructure. The Dutch Payments Association actively follows these developments and represents the Dutch market in relevant forums.