The Payment Card Industry (PCI) Data Security Standard is an industry regulation developed by VISA, MasterCard and other bank card distributors. It requires organizations that handle bank cards to conform to security standards and follow certain leveled requirements for testing and reporting. MasterCard markets the program as their Site Data Protection (SDP) Program and VISA markets it as their Cardholder Information Security Program (CISP).
The Standards rely on the merchant banks to enforce them and they may do so with penalties for non-compliance and disclosures caused by non-compliance.
Although all companies that collect credit card information, including service providers, have to be compliant, the Standards have more stringent audit and reporting requirements for larger merchants. Four levels of testing and reporting are described. In some cases, the assessors and the companies who do the external network scans must be certified by VISA or MasterCard.