Recently several high-profile cases of credit card data loss or compromise have made headlines. The Privacy Rights Clearinghouse claims that three dozen major identity theft cases have occurred to date this year, resulting in theft of information on 10 million Americans. Long before these incidents VISA created a private standard known as CISP, or the Cardholder Information Security Program.

More recently, VISA and American Express, Diner's Club, Discover Card, JCB and MasterCard collaborated to create a new set of standards known as the PCI (Payment Card Industry) Data Security Standard. All Merchants and Service Providers that handle, transmit, store or process information concerning any of these cards are required to be compliant with PCI as of June 30, 2005. This paper covers the basic requirements of PCI, with a focus on the administrative and technical elements of the program. It also reviews the validation requirements of the standard and potential sanctions for failure to comply.