Who must comply with PCI DSS?

PCI DSS compliance reduces the risk of intrusions and theft, building trust with cardholders and signaling to the marketplace that your organization takes data and privacy protection seriously. If your business requires you to hold or transfer credit card information or cardholder data, you’re subject to the Payment Card Industry Data Security Standard (PCI DSS).

But who must comply with PCI DSS, specifically, you may be asking? And who doesn’t need to worry about PCI DSS? Here’s a good cheat sheet:

  • If you work with data from MasterCard, Visa, Discover, JCB International, or American Express (this largely means vendors who accept credit card payment either online or in person) you must comply with PCI DSS.
  • If you’re a manufacturer of PIN pads and other devices for accepting credit cards or a software developer or organization that integrates applications that interact with cardholder data, you are probably not required to comply with PCI DSS. (Although, you may be subject to other regulations like PCI PTS and PCI PA-DSS.)

Which PCI DSS compliance level applies to my company?

The other PCI DSS aspect to consider is which PCI DSS level applies to your company. PCI DSS requires organizations with more transactions to take greater efforts toward compliance than smaller organizations with fewer transactions. 

The general expectations for all organizations are the same under PCI DSS, but specific PCI DSS compliance requirements vary based on the number of annual transactions an organization makes. Lower-volume organizations (presumably smaller businesses) can use self-reporting processes. Higher-volume organizations cannot.

There is not one consistent guideline, unfortunately, for assigning PCI DSS levels. Each payment card brand (such as Visa or MasterCard) has different levels of enforcement and validation. Depending on which level your organization is assessed at, you will use one of two methods to prove PCI DSS compliance: a Qualified Security Assessor (QSA) or the Self-Assessment Questionnaire.

  • Qualified Security Assessors (QSA) are organizations approved by the PCI Council to be a third-party assessor of compliance.
  • Self-Assessment Questionnaires (SAQ) are for smaller-volume organizations. These questionnaires allow an organization to go through their own internal process to validate compliance. There are several SAQs. Guidance for which SAQ is appropriate is available in the PCI Self-Assessment Questionnaire Instructions and Guidelines.

What are the penalties for PCI DSS non-compliance?

What if you are a PCI-defined merchant and don’t comply with PCI DSS? Complying with the appropriate PCI rules is a requirement for participation in the credit card ecosystem. And, the consequences of noncompliance affect not just your company, but your bank as well. 

Each acquiring bank (who processes the cards) is answerable to the payment brand and can be fined for noncompliance of its merchants. Fines and other consequences of non-compliance then trickle down to the merchants. 

Fines historically have ranged from $5,000 to $100,000 per month while a merchant has been out of compliance. Merchants and banks can also lose the ability to process cards or face increased processing fees. Non-compliance can also expose an entity to lawsuits from consumers.

Looks like my company must comply with PCI DSS. Now what?!

Once you discover your business is subject to PCI DSS, you’ll need to understand which PCI DSS level applies to your company and begin the three-step PCI DSS compliance process: assess, remediate, and report. These three steps must remain ongoing in order to maintain PCI DSS compliance. 

There are a couple of paths you can take to reach PCI DSS compliance: 

  • Build your own expertise. The PCI Standards Council maintains an extensive document library of PCI DSS resources you can study and use to fill out the many required SAQs or navigate the QSA audit process’s twists and turns.
  • Hire a traditional security consulting firm that will handle PCI DSS compliance for a premium price.
  • Choose a user-friendly security platform — like Strike Graph — that makes the PCI DSS compliance process quick, easy, and less expensive.  

Strike Graph uses a risk-based approach to right-size your PCI DSS compliance process, eliminating unnecessary work. Our platform makes it easy to identify which exact PCI DSS regulations apply to your unique business context and then makes it easy to mitigate those risks using our extensive control and evidence libraries. Our approach is far faster than trying to answer every question on a one-size-fits-none checklist.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Are you ready to build trust through cybersecurity?