Who Must Comply with PCI DSS in the Payment Industry

If you're a merchant or service provider that stores, processes, or transmits sensitive payment information, you must comply with PCI DSS. This includes any business that accepts, processes, or stores cardholder data.

Any business that accepts card payments, including online and offline transactions, must comply with PCI DSS. This includes e-commerce sites, brick-and-mortar stores, and service providers like banks and payment processors.

Merchants and service providers of all sizes, from small businesses to large corporations, must comply with PCI DSS. This includes any business that handles cardholder data, including payment card numbers, expiration dates, and security codes.

Payment processors, banks, and other financial institutions that handle sensitive payment information must also comply with PCI DSS.

Any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data must comply with the PCI DSS.

Merchants who accept payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services must comply with the PCI DSS.

This includes service providers that store, process, or transmit cardholder data on behalf of other merchants or service providers. For example, an ISP that hosts merchants as customers must comply with the PCI DSS.

Issuing banks are not required to undergo PCI DSS validation, but they must secure sensitive data in a PCI DSS-compliant manner. Acquiring banks, on the other hand, must comply with PCI DSS and have their compliance validated with an audit.

Merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. This volume is based on the aggregate number of Visa transactions from a merchant Doing Business As (DBA).

Transaction volume is calculated by adding up the number of Visa transactions processed by a merchant, including credit, debit, and prepaid transactions. In cases where a merchant corporation has multiple DBAs, acquirers must consider the aggregate volume of transactions stored, processed, or transmitted by the corporate entity.

Merchant levels are determined by Visa and are categorized as follows: Level 1 includes merchants processing over 6 million Visa transactions per year, Level 2 includes merchants processing 1 million to 6 million Visa transactions per year, Level 3 includes merchants processing 20,000 to 1 million Visa e-commerce transactions per year, and Level 4 includes merchants processing fewer than 20,000 Visa e-commerce transactions per year.

The PCI Compliance levels are organized into four tiers, with Level 1 being the strictest and Level 4 being the least severe. Almost all small and medium-sized businesses (SMBs) classify as Level 3 or Level 4 merchants.

Here's a summary of the merchant levels:

If a merchant suffers a data breach, they may be escalated to a higher validation level, which can result in increased compliance requirements and potential fines.

Merely using a third-party company doesn't exclude a company from PCI DSS compliance.

Organizations using third-party processors have to be PCI DSS compliant, as it may cut down on their risk exposure but doesn't mean they can ignore the PCI DSS.

Third-party agents who perform solicitation activities, deploy ATM or POS devices, or manage encryption keys must be registered in the TPA Registration Program before issuers, acquirers, and merchants can use their services.

Issuing banks are not required to undergo PCI DSS validation, but they must secure sensitive data in a PCI DSS-compliant manner.

Using a third-party processor can help reduce the effort to validate compliance, but it doesn't mean you're exempt from PCI DSS compliance.

Merely using a third-party company doesn't exclude a company from PCI DSS compliance. Organizations must still adhere to the standards.

A Service Provider is defined by the PCI SSC as a business entity not directly involved in payment processing, but still handling cardholder data. This includes companies that provide services controlling or impacting cardholder data security.

As a Service Provider, merchants who accept payment cards and store, process, or transmit cardholder data on behalf of other merchants or service providers must achieve compliance.

Third-party agents performing solicitation activities, deploying acceptance devices, or managing encryption keys must be registered in the TPA Registration Program before issuers, acquirers, and merchants can use their services.

Debit card transactions are in scope for PCI, which means they must comply with the Payment Card Industry Security Standards Council (PCI SSC) requirements.

In-scope debit cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC, such as American Express, Discover, JCB, MasterCard, and Visa International.

These logos are a clear indicator that the card is in scope for PCI compliance, and merchants must ensure their systems and processes are secure to protect sensitive cardholder data.

Handling card data can be a complex and costly endeavor, especially if you're required to meet the 300+ security controls in the Payment Card Industry Data Security Standard (PCI DSS).

Some business models do require the direct handling of sensitive credit card data, which can be a significant burden. If you're one of them, you'll need to purchase, implement, and maintain security software and hardware, even if the card data only traverses your servers for a short moment.

Companies that don't need to handle sensitive credit card data shouldn't. Third-party solutions like Stripe Elements can securely accept and store the data, reducing complexity, cost, and risk.

With third-party solutions, card data never touches your servers, so you'll only need to confirm a few straightforward security controls, such as using strong passwords.

If you're unsure about your PCI DSS compliance requirements, it's best to consult with a security expert or check with Visa, which manages all data security compliance enforcement and validation initiatives.

Using a third-party processor doesn't exempt your organization from PCI DSS compliance. You still need to validate your compliance, even if it does reduce your risk exposure.

Handling card data is a significant responsibility, and if your business model requires it, you'll need to meet all 300+ security controls in PCI DSS. This can be a daunting task, especially if card data only briefly touches your servers.

If you don't need to handle sensitive credit card data, it's best to avoid it altogether. Third-party solutions like Stripe Elements can securely accept and store the data, simplifying the process and reducing complexity.

A hosted Software-as-a-Service (SaaS) ecommerce platform is a low-cost, low-risk option for online stores. This approach saves money on hardware, software licenses, and support, making it a more affordable choice.

To qualify for a SaaS ecommerce platform, your company should consider the following:

Using a SaaS ecommerce platform can make PCI compliance a breeze, as you only need to complete a self-assessment questionnaire (SAQ) as a Level 2-4 merchant or an ROC (Report on Compliance) if you're a Level 1 merchant. This reduces the time and expense associated with PCI compliance.

Debit card transactions can be a bit confusing, but basically, they're in scope for PCI if they're branded with one of the five card association logos that participate in the PCI SSC.

In other words, if you're dealing with debit cards from American Express, Discover, JCB, MasterCard, or Visa International, you'll need to follow PCI DSS guidelines.

Debit cards are considered in-scope cards, just like credit and pre-paid cards.

To ensure PCI DSS compliance, issuers and acquirers must verify that all their service providers and merchants adhere to the requirements.

Issuers and acquirers are responsible for confirming cardholder data is being safely handled by their service providers and merchants. This process helps identify any weaknesses that need to be addressed.

By doing so, issuers and acquirers can expose any vulnerabilities and take corrective action to prevent data breaches.

To maintain compliance, you'll need to undergo a vulnerability scan if you qualify for certain self-assessment Questionnaires (SAQs) or if you store cardholder data post-authorization. If you qualify for SAQ A-EP, B-IP, C, D-Merchant, or D-Service Provider under version 3.x of the PCI DSS, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

You'll need to submit a passing scan every 90 days or once per quarter. Merchants and service providers should submit compliance documentation according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) such as ControlScan.

Home users are particularly vulnerable to security threats due to their often inadequate protection. Adopting a 'path of least resistance' model, intruders often target home users, exploiting their always-on broadband connections and typical home use programs.

Validation of compliance is not mandatory for all entities, but required for merchants and service providers who process, store or transmit cardholder data. Visa and Mastercard require merchants and service providers to be validated according to the PCI DSS.

Issuing banks are not required to undergo PCI DSS validation, although they must secure sensitive data in a PCI DSS-compliant manner. Acquiring banks must comply with PCI DSS and have their compliance validated with an audit.

To confirm cardholder data is being safely handled, issuers and acquirers are responsible for ensuring that all their service providers, merchants and merchants’ service providers comply with the PCI DSS requirements. This is the best way to expose any weaknesses that need to be addressed.

You may need to submit remediation validation records and compliance reports to the acquiring bank and card brands. Level 4 merchants must maintain requirements for 4, 9, and 11.

If you qualify for certain self-assessment Questionnaires (SAQs) or you electronically store cardholder data post authorization, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required to maintain compliance. This includes SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant, and SAQ D-Service Provider.

Any organization that accepts, transmits, or stores cardholder data must comply with PCI DSS.

Ecommerce platforms are required to ensure PCI compliance for their organization if they host and manage their own platform.

The required compliance level is determined by the number of credit or debit card transactions processed annually over a 12-month period.

All merchants fall into one of four levels: Level 1, Level 2, Level 3, or Level 4.

Level 1 is the strictest in terms of DSS requirements, while Level 4 is the least severe.

Almost all small and medium-sized businesses classify as Level 3 or Level 4 merchants.

Non-compliance is equally as costly as a breach, in which the merchant is required to assess to the Level 1 standard for the next year, including an on-site audit.

The PCI Compliance levels are organized into four tiers: Level 1, Level 2, Level 3, and Level 4.

Level 1 merchants include organizations that process a high volume of transactions, but the article does not specify the exact number.

As a merchant, you'll need to determine your required compliance level for PCI DSS. This is based on your credit or debit card transaction volume over a 12-month period.

There are four levels of compliance, with Level 1 being the strictest in terms of DSS requirements. Level 4 is the least severe.

Almost all small and medium-sized businesses (SMBs) classify as Level 3 or Level 4 merchants. However, this doesn't mean they shouldn't maintain compliance with the same diligence as larger organizations.

Non-compliance is equally as costly as a breach, where you're required to assess to the Level 1 standard for the next year, including an on-site audit. This is a costly misconception among SMBs who believe they don't need to worry about compliance.

Stripe significantly simplifies the PCI burden for companies that integrate with their services. Any organization that accepts, transmits or stores any cardholder data must comply with PCI DSS, regardless of size or number of transactions.

Stripe acts as a PCI advocate and can help in several ways. They'll analyze your integration method and advise you on how to reduce your compliance burden.

For large merchants (Level 1), Stripe can connect you with several auditors that deeply understand the different Stripe integration methods. There are more than 350 such QSA companies around the world.

Stripe's services, such as Checkout and Elements, use a hosted payment field for handling all payment card data. This means the cardholder enters all sensitive payment information in a payment field that originates directly from Stripe's PCI DSS–validated servers.

Stripe will notify you ahead of time if a growing transaction volume will require a change in how you validate compliance. This helps you stay ahead of the game and avoid any last-minute surprises.

In the US, PCI DSS compliance isn't required by federal law, but some states have different rules.

Compliance is indeed required by law in a few states, including Nevada, which incorporated PCI DSS into state law in 2009, requiring merchants to comply and shielding them from liability in case of a data breach.

Minnesota was the first state to enact a law related to PCI DSS in 2007, prohibiting the retention of certain payment-card data for more than 48 hours after a transaction is authorized.

Nevada's law also allows merchants to use other approved security standards to avoid liability, giving them some flexibility in how they meet the compliance requirement.

Washington state followed suit in 2010, incorporating PCI DSS into its state law, but with a twist: entities aren't required to be PCI DSS-compliant, but those that are will be shielded from liability in case of a data breach.