Created by the major Credit Card Associations (Visa, MasterCard, American Express, Discover, JCB), the Payment Card Industry Data Security Standard (PCI), outlines general security requirements for merchants or service providers that store, process, or transmit cardholder data. PCI grew out of secure data programs developed by Visa and MasterCard as the benefits of a single aligned set of standards became apparent.

View the PCI Data Security Standard

• A merchant that stores credit card information of a buyer such as the CVV number could be in violation of PCI standards. This data should never be stored and should only be used at the time of purchase to validate cardholder status.
• A merchant that has many employees, only some of which process orders, and who share the same Yahoo! ID when accessing the store could be in violation of PCI standards. Merchants should restrict access to cardholder data to only those employees that require access to conduct business and each employee should have a unique Yahoo! ID.

Note: Yahoo! can only provide general suggestions as to what may constitute a violation of CISP/PCI security requirements. Visa, MasterCard and other credit card associations are the sole arbiters of the security requirements set forth by them. It is the responsibility of merchant account providers, working in conjunction with merchants or qualified security assessors, to determine what actions, policies, or practices may be needed by a merchant to achieve compliance with the standards.

The information provided here by Yahoo! as of 6/17/05 is for informational purposes only. Yahoo! makes no representation as to the accuracy of this information and merchants are advised to use the links to credit card associations provided within these documents for the CISP/PCI information and latest updates. Please note that the credit card association security programs may change without notice at any time.

See Also

• What is CISP?
• How will I know if I need to be CISP/PCI compliant?
• Is Yahoo! Merchant Solutions a CISP-compliant service provider?
• Am I compliant because Yahoo! is a CISP-compliant service provider?
• How do I become CISP/PCI-compliant?
• What information does Yahoo! provide my auditors to determine my compliance?
• Which auditor should I use to check for PCI-compliance?