Financial Services Blog

PCI Compliance for Financial Institutions

What is PCI?

The Payment Card Industry consists of five major card brands including Visa, MasterCard, American Express, Discover, and JCB.  In 2004, they published the Data Security Standards (PCI DSS) to combat credit card fraud, and in 2006, they formed the PCI Security Standards Council (PCI SSC). PCI DSS is composed of six goals and twelve requirements, which have undergone several revisions; the most recent was published in 2018.

A screenshot of a social media post Description automatically generated
Source: https://pcisecuritystandards.org

Does PCI apply to my institution?

PCI DSS may apply to your institution if…

  • debit cards display a major card brand logo.
  • credit cards with a major card brand logo are issued.
  • card numbers are stored in any application or system, including the core.
  • card numbers are exported to other systems (ie. for marketing, archival, statements, data warehousing, other purposes…)
  • merchant services are provided to business clients.
  • card payments for products or services are accepted.
  • cash advance services are provided in branches.
  • third-party agreements require PCI DSS compliance.

FFIEC lists PCI Compliance in the Tier 1, 2, and 3 objectives of the IT Examination Handbook examination procedures.  Many financial institutions reach out to CLA for help when they have received comments in post examination communications regarding PCI compliance.

How is the industry addressing PCI?

The Payment Security Report (PSR) is published annually by Verizon and details the state of Payment Card Security. The rate of full compliance is trending down across the globe at less than forty percent.  Only twenty percent of US financial institutions assessed maintain full compliance.  Many institutions cite lack of funding and resources to achieve compliance. These statistics can be misleading as they only include institutions that have undergone an assessment. Many institutions have not acknowledged a requirement for compliance or performed an assessment.

How can CLA help?

CLA is a PCI Qualified Security Assessor (QSA) company and has a team that can help your institution navigate PCI DSS requirements, consult on PCI DSS program implementation, and assist in preparing compliance documents. Please contact your CLA representative anytime for more information.

Tags: , , Cybersecurity, Financial Services General, Information Technology, Uncategorized | Comments Off on PCI Compliance for Financial Institutions

  • Managing Principal Financial Services
  • Charlotte, NC
  • 704-816-8452

Susan is a CPA with more than 20 years of combined experience in public accounting and the financial institution industry, including experience with Fortune 500 financial services companies. Susan serves as the managing principal of CLA’s financial services group. Her responsibilities include providing engagement oversight in the areas of assurance and internal audit. In addition, Susan provides board advisory and management consulting services in the areas of strategic planning and mergers and acquisitions. Susan has been involved in multiple mergers and acquisitions of sizes ranging from $150 million to $500 billion with engagement at all stages of the process.

Comments are closed.

Subscribe to Blog   

We’re committed to helping you stay on top of issues and requirements affecting financial services companies. Check back often to learn about industry updates, new regulations, technology innovations, and fresh ideas that may help you prepare for future challenges.