Card schemes are payment networks linked to credit and debit cards. By becoming members of card schemes, banks and other eligible financial institutions are able to issue cards operating on the network of the scheme. Examples of card schemes that operate in the United Kingdom (UK) include:

• American Express
• Maestro
• Mastercard
• Visa (including debit)

Card schemes play an important part in the card payment cycle. This cycle represents how cardholder data is stored, processed and transmitted in order for a transaction to go through. After the acquiring bank has connected and processed a transaction, the card scheme sends an authorisation request to the issuing bank. Once they’ve received a response, they send the information back to the acquiring bank. Therefore, card schemes are an essential component of successful transactions with a third party, such as a retailer.

When using an American Express card, however, the process is slightly different. American Express acts as the card scheme, issuer, and acquirer all at the same time. This means that there are no charges between the acquirer and the issuer. American Express earns most of its income from the discount fees charged to retailers who accept its cards. This is why some businesses refuse to accept American Express as a form of payment. Other credit card brands, such as Visa, generate revenues based on the number of transactions processed, whereas American Express can avoid issuers and acquirers because it earns discount fees directly from retailers.

What are card scheme responsibilities?

The Payment Card Industry Data Security Standard (PCI DSS) represents a set of requirements for any entity, including card schemes, that handle cardholder data. The PCI DSS is in place to protect client payment card data, as well as the profitability of organisations.

As part of the PCI DSS, card scheme responsibilities (American Express, Discover, JCB International, MasterCard and Visa) are:

• Tracking and enforcing PCI DSS compliance
• Setting validating and reporting requirements (each card scheme differs)
• Providing definitions of merchant and service provider levels
• Giving penalty, fee and compliance deadlines for any non-compliance identified as a result of audits and assessments
• Approving and posting compliant PIN and payment machine entries
• Setting guidelines for forensic investigations
• Responding to payment card data compromises at any time, as well as those identified as a result of audits and assessments
• Monitoring these payment card data compromises

The PCI Security Standards Council sets the payment card standards. With the main card schemes, the council provide tools to help with PCI DSS implementation, assist with education and awareness and approve Qualified Security Assessors (QSAs). Card schemes can also rely on the council to perform on-site PCI DSS assessments to ensure that organisations are following the relevant requirements.

Why are these responsibilities important?

There are many severe consequences associated with non-compliance with PCI DSS, which can impact customers, merchants, service providers and financial institutions. The responsibilities assigned to card schemes involve controlling businesses’ compliance with PCI DSS, with the overall objective of protecting personal data. It’s important for card schemes to execute these responsibilities effectively in order to keep consumers’ sensitive information safe and reduce the risks of substantial fines for companies. With poor adherence to PCI DSS, data breaches are far more likely to occur. If this incident arises, the financial penalties and consequent reputational damage caused to the organisation can result in them going out of business. It’s essential that card schemes manage these risks by monitoring the conduct of companies to ensure they’re behaving responsibly and respectfully towards their customers’ data.