Payment Card Industry Data Security Standards (PCI DSS) for commercial lawyers
Produced in partnership with Craig Armstrong of Shoosmiths
Payment Card Industry Data Security Standards (PCI DSS) for commercial lawyers

The following Commercial guidance note Produced in partnership with Craig Armstrong of Shoosmiths provides comprehensive and up to date legal information covering:

  • Payment Card Industry Data Security Standards (PCI DSS) for commercial lawyers
  • What is PCI DSS?
  • Entities to which PCI DSS applies
  • PCI DSS principles and requirements
  • Steps that are required for compliance with PCI DSS
  • Ongoing compliance
  • Enforcement—card scheme fines
  • Interaction with EU and UK privacy and data security laws and standards
  • Contractual protections for merchants using service providers

This Practice Note is designed to assist commercial practitioners acting on behalf of merchants or their subcontractors and considers:

  1. the entities to which Payment Card Industry Data Security Standards (PCI DSS) applies

  2. PCI DSS principles and requirements

  3. steps that are required for compliance with PCI DSS

  4. ongoing compliance

  5. enforcement, including card scheme fines

  6. interaction with EU and UK privacy and data security laws and standards

  7. contractual protections for merchants using service providers

It does not consider sector-specific laws, practices or PCI DSS requirements that are relevant to financial institutions, merchant acquirers, payment processors, payment networks and banks since those are only relevant to specialists working in those niche sectors. For detailed sector-specific guidance on payment services, see: Payment services—overview, Payment systems—overview and E-money—overview.

The card schemes Discover Financial Services and JCB International do not have any material presence in the UK and so this Practice Note focuses on the approach of MasterCard, Visa and American Express.

What is PCI DSS?

The Payment Card Industry Security Standards Council (PCI SSC) was founded in 2006 by the leading global card schemes, American Express, MasterCard, VISA, Discover Financial Services and JCB International.

The purpose of the PCI SSC is to promote and maintain the PCI DSS which are designed to improve payment card data security by setting out the minimum controls regarding the processing of payment