What is PCI SSC?

What Is the PCI SSC?

The PCI Security Standards Council (PCI SSC) is the global body responsible for developing, managing, and promoting the Payment Card Industry Data Security Standard (PCI DSS) and related security standards. It was founded in 2006 by the five major card networks -- Visa, Mastercard, American Express, Discover, and JCB -- to create a unified approach to payment card security.

Before the PCI SSC existed, each card network maintained its own separate security programme. Merchants had to comply with multiple overlapping -- and sometimes conflicting -- sets of requirements. The council was created to solve this problem by establishing a single, consistent standard that applies across all card brands.

What the PCI SSC Does

The council's responsibilities extend well beyond simply publishing a document. It oversees a thorough ecosystem of security standards, training programmes, and qualified assessor organisations.

Core activities

• Developing PCI DSS -- The flagship standard that governs how organisations protect cardholder data. The council releases major versions (such as PCI DSS v4.0) and manages the transition timelines
• Managing assessor programmes -- The PCI SSC qualifies and oversees Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), and Internal Security Assessors (ISAs)
• Publishing supporting standards -- Beyond PCI DSS, the council maintains standards for payment applications (PA-DSS, now replaced by the Software Security Framework), point-to-point encryption (P2PE), and card production
• Training and certification -- The council runs training programmes for security professionals and maintains a registry of certified individuals and organisations
• Community engagement -- The PCI SSC gathers feedback from participating organisations, special interest groups, and the broader payment industry to inform standard updates

How PCI DSS Versions Are Developed

The PCI SSC follows a structured process for developing and updating standards. This typically involves:

• Gathering feedback from the global community of participating organisations
• Reviewing emerging threats, new technologies, and industry trends
• Drafting proposed changes and circulating them for comment
• Publishing final standards with defined transition timelines

For example, PCI DSS v4.0 was released in March 2022, with a transition period allowing organisations to move from v3.2.1. The council set 31 March 2024 as the deadline for retiring v3.2.1, with additional future-dated requirements taking effect on 31 March 2025. This phased approach gives businesses time to adapt without leaving security gaps.

Participating Organisations

Any organisation involved in the payment ecosystem can become a Participating Organisation (PO) of the PCI SSC. This includes merchants, banks, payment processors, technology vendors, and security companies. POs gain the ability to:

• Submit feedback on draft standards before they are finalised
• Nominate representatives to the council's Board of Advisors
• Attend the annual PCI Community Meetings
• Access early drafts of upcoming standards and guidance documents

Participating Organisation status does not exempt a business from compliance -- it simply gives them a voice in how the standards evolve.

The PCI SSC and Telephone Payments

The PCI SSC has published specific guidance on securing telephone-based payment environments. Contact centres represent a unique challenge because sensitive card data can be exposed through voice channels, call recordings, and agent desktops.

The council's guidance on protecting telephone-based payment card data covers topics including:

• DTMF masking and suppression technologies
• Pause-and-resume approaches for call recording
• Descoping contact centre environments from PCI DSS scope
• Secure IVR payment systems

This guidance has been instrumental in helping the industry develop and adopt technologies that keep card data out of the voice path entirely.

PCI SSC vs the Card Networks

A common source of confusion is the relationship between the PCI SSC and the individual card networks. The PCI SSC develops and maintains the standards, but it does not enforce them. Enforcement is handled by each card network individually -- Visa, Mastercard, American Express, Discover, and JCB each have their own compliance programmes, penalties, and reporting requirements.

This means that while the technical requirements come from one place (the PCI SSC), the consequences of non-compliance depend on which card brands you accept and the agreements you have with your acquiring bank.