PCI-DSS Compliance and Your Online Identity Verification Program

Discover the value of PCI DSS compliance for your online customer identity verification program, and how to achieve it.

What is PCI-DSS

PCI DSS compliance requires adherence to a set of specific security standards that were developed to protect sensitive card information during and after a financial transaction and “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.”

Who is Impacted?

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

That is, the standard applies to all organizations, which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.


How to Know if Your Identity Verification Solution is PCI-DSS Compliant

While it is not mandatory for online identity verification providers to comply with PCI DSS, consider the value of the data they are handling—legitimate government issued IDs (e.g., passports and driver’s licenses). These images can fetch up to $20 on the dark web. Black market dealers can inflict considerable damage armed with valid driver’s licenses and passports, including opening new credit cards or getting a major loan in the victim’s name.

This means that online identity verification vendors are sitting on a treasure trove of valuable PII information which must be managed appropriately and strictly protected from potential data breaches.

PCI defines a 12- step process that vendors need to adhere to show that they are taking the necessary steps to avoid online access or compromise to their card processing data. Failure to achieve PCI compliance could cause a retailer to face substantial penalties, which can exceed $500,000, depending on the volume of transactions processed.

Plain and simply, ask and verify that your identity verification provider has a valid PCI-DSS Level 1 certificate. In doing so, this will give you the assurance that their practices are up to date and validated by a reliable third party.