That’s PCI as in “Payment Card Industry” – and specifically the PCI Data Security Standard (PCI DSS). Basically the big credit card companies (Visa, MasterCard, American Express etc) got together and created a new set of standards to deal with card fraud. The aim of PCI is to force organisations like merchants and service providers (basically anyone that handles, transmits or stores card details) to protect the card data properly. For anyone who doesn’t comply, there’s fines, and potentially the card companies are threatening to block people from processing their card data altogether – a big deal if you’re a retailer or anyone who depends on credit cards.
A worthwhile industry initiative to combat fraud? Or a shameless attempt by the banks to push the risk and responsibility onto others?
Whatever you think of PCI, there’s many, many companies that need to comply. And taking auditable steps to stop credit card information leaking is an important part of the puzzle – ILP is really a must-have if you need to comply with PCI.
The deadlines for compliance are complicated depending on what you do and where you are, but 30th September 2007 is an important date for many US-based companies, and really everyone ought to be compliant or nearly there already.
The official page isn’t really the most helpful, but here’s a great blog that helps with PCI, and an interesting recent discussion on Slashdot.