PCI DSS – Ethics and Code of Professional Responsibility

Ethics codes when you're referent PCI at your company

Behind my nomination on my compagnie about PCI referent, I have some questions about the professional responsibility code’s. My answer is very simple about this. The PCI SSC’s mission is to enhance payment account data security by driving education and awareness of the PCI SSC security standards. This is my code of conduct.

To help achieve this goal, PCI has adopted this code of Professional Responsibility to help ensure information security professionals adhere to the highest standards of ethical and professional conduct.

Adherence with this code will help ensure the safe handling of cardholder information and enhance payment card data security. All PCI SSC qualified individuals and PCI SSC qualification candidates must agree to advocate, adhere to an support the following Code Of Professional Responsibility.

The great rule about this, PCI SSC-qualified individuals who intentionally or knowingly violate any principle of this Code will be subject to revocation of qualification and/or other disciplinary action by the PCI SSC.

PCI Code of Responsibility: Principles

Professional Competence and due care

  • Perform each aspect of your work honorably, responsibly, and legally.
  • Act in the best interest of all entities that you provide services or support to, while maintaining high standards of conduct and being consistent with the PCI Standards and guidances.
  • Deliver diligent and competent services in accordance with the PCI Standards and applicable laws.
  • Render only those services for which you are fully competent and qualified.
  • Promptly advise all entities that you provide services or support to on change in PCI Standards and guidance.
  • Participate in learning throughout you career to maintain the knowledge, skills and expertise needed in the payment security industry.
  • Promote current information security best practices and standards.

Security and confidentiality

  • Respect and safeguard confidential, proprietary, or otherwise sensitive information with which you come into contact in the course of professional activities, unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  • Take affirmative steps to comply with the PCI Standards to assure that confidential information is maintained securely.
  • Immediately notify the appropriate authorities and proper industry personnel should you suspect a compromise or breach in security.


  • Refrain from conduct which would damage or reflect poorly on the reputation of PCI SSC, its standards, the profession, or the practice of colleagues, clients, and employers.
  • Report ethical violation to PCI SSC in a timely manner.
  • Refrain from any activities which might constitute a conflict of interest.
  • Perform all duties with objectivity


Compliance with Industry Laws and Standards

  • Perform duties in accordance with the PCI Standards
  • Comply with existing laws and regulations, with local laws taking precedence over PCI Standards
  • Cooperate with law enforcement agencies

Violation and Enforcement

  • Depending on the severity of the violation, disciplinary action could include:
    • Warning: A written warning could be issued that specifies the consequences if the situation occurs again, or if there is another violation.
    • Suspension: PCI SSC qualification for PCIP/ISA/QSA certified could be suspended for all programs in which the individual participates.
    • Revocation: PCI SSC qualification could be revoked for all programs in which the individual actively participates.

Don’t forget, PCI SSC is committed to enforcing its Code Of Responsibility, and has adopted a procedure that allows fair and objective review of allegations of violations of the Code.

Enjoy PCI DSS and be cool. The Code and only the Code 🙂