Cardholder data must be handled properly by all merchants, financial institutions or other organizations which accumulate, process or transmit customer data. While PCI DSS doesn’t put specific data sanitization rules in place, it does speak about the need to maintain a policy that addresses information security to protect cardholder data.
The obligations between merchants and payment card companies are not directly enforced by the law. Instead, these rules are implemented and contractually enforced through the PCI Contract Chain. This chain can include indemnification requirements, penalties, duties to pay fines, duties to adhere to payment card operating rules and other requirements related to payment cards.
Merchants are not required to legally adhere to PCI DSS by payment card companies since there is typically no contractual relationship. If any direct contractual relationship does exist, they are passed through the contract immediately upstream from the merchant. Payment card companies generally enforce compliance by leveraging their relationship through restricting access to payment card processing to merchants. The payment card companies which created this standard are Visa, Mastercard, American Express, JCB International, and Discover. The PCI standard is mandated by these companies, meaning that if you work with their systems, you must adhere to them. The standard is overseen by the Payment Card Industry Security Standards Council, and compliance is validated by a Qualified Security Assessor or Internal Security Assessor as defined by the council.
PCI DSS is a standard created to maintain a secure and comprehensive data management plan, to protect cardholder information. These protections are paramount in preventing unintentional or unauthorized access to cardholder data. Failing to meet the PCI DSS compliance requirements does not necessarily have any legislative or regulatory punitive measures, although its consequences could result in being excluded from processing payments within these networks.