Blog
Does our FI need to be PCI compliant?
April 1, 2014 by Kevin Christensen — Vice President, Audit, SHAZAM
PCI compliance continues to be a confusing — and frustrating — topic. However the short answer to the question above is yes.
All members of the various card brand networks (Visa, MasterCard, Amex, Discover) are required to be PCI compliant. So, if you issue debit and credit cards, you must be compliant with PCI standards.
Now for the long answer …
While card issuers are obligated to be PCI compliant, the requirements for validation of that compliance vary. Validation comes from an audit performed by a qualified security assessor, and whether you need a visit from such an individual depends on how cardholder data is used at your financial institution.
While there is some debate as to whether issuers will eventually be required to validate compliance, there is no such requirement today from any of the major card brands. If an issuer has a solid Gramm Leach Bliley information security program in place and that program is validated annually, supplementing the program with a PCI review isn’t necessary. However, adding it to the scope of your current reviews as a double check is not a bad idea.
One important note: Community banks and credit unions should be sure to include cardholder data within the scope of their information security programs.
Card brands tend to focus their compliance validation programs on systemic risk factors (i.e., big merchant acquiring financial institutions and processors). As a result, I believe the chances of validation requirements creeping up for issuing-only institutions in the future are slim.
In my next post, I’ll talk through requirements for community banks and credit unions that act as acquiring financial institutions, as they are a bit more complex.
