Are Gift Cards Subject To PCI Compliance?

It depends on who you ask, what the card looks like and a few other variables. On the first technicality, PCI only has jurisdiction over Visa, MasterCard, American Express, Discover and JCB since the owners of each of those brands joined together to create PCI Compliance. PCI is short for PCI DSS. The long version of it is Payment Card Industry Data Security Standard, a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information from THOSE brands maintain a secure environment.

That being said, unless a gift card bears the distinct logo of one of the brands, private label gift cards do not have to be treated the same way as debit or credit cards. A secondary method for determining is whether the gift card is subject to PCI Compliance is to see if the card number uses a Bank Identification Number or BIN to start the number sequence. This is the number or series of numbers that begin with numbers such as 34 or 37 for Amex, 4 for Visa and so forth. If they follow the format of a credit card number beginning with the numbers 3 through 6 they might be backed be a PCI regulated card and subject but the sponsoring issuer such as Visa must have their logo on the card.

In a private label gift card, personal data that you self-populate or give to the store such as your address and phone number may be associated with your account or gift card number and that information can be maintained on a computer server at the issuing store without PCI Compliance regulations.

If a gift card does contain a first number in the BIN range and displays the logo of one of the five participating logo then it is considered an “open-loop” card where money can be applied to the card and deducted and it functions the same as a credit or debit card. In this case, it does fall under PCI Compliance. There are a specific set of rules called PCI Card Production Standard that applies to these types of gift card cards.