All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

To whom does PCI DSS Apply?

Created by the PCI Security Standards Council (PCI-SSC), the Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards meant to protect payment transaction systems from security issues and breaches.

Read More

What does PCI-DSS apply to?

These standards apply to a great number of businesses and organisations involved in processing cardholder data, and there are consequences if your company is found to be non-compliant.

Who does PCI-DSS apply to?

PCI-DSS compliance is mandatory for any business or organisation responsible for storing, transmitting, or processing any cardholder data. This covers a wide range of different entities and industries, so it’s important to make sure that your organisation remains compliant with the requirements.

Most businesses involved are merchants, issuers, acquirers, and processors. Essentially, PCI-DSS applies to you if you accept credit, debit, or prepayment cards in any way, regardless of whether you store the data.

Equally, if your company collects sensitive authentication data that falls under data retention requirements, you will also need to be PCI-DSS compliant. The PCI-DSS protects cardholder data including CVV, Card Number, PAN, and other pieces of vulnerable information that a hacker could gain access to.

If your company is cloud-based and uses third-party vendors to outsource payment card processing, it’s important to ensure that both the payment process and the third parties are aware of the PCI-DSS compliance requirements. It’s worth noting that, when applied properly, this process does reduce the risk of a breach.

Is PCI-DSS compliance mandatory?

It doesn’t matter whether your business is an enterprise or a big organisation – if you handle card data in your processes, you are required by contract to be PCI-DSS compliant. The contract is usually provided by credit card businesses that require compliance to reach an agreement. This is non-negotiable, and if your company is found non-compliant, then you may face one of the PCI-DSS fines and penalties.

What does PCI-DSS apply to merchants?

If your business accepts credit cards from one of the core five credit card companies – American Express, Visa, Mastercard, Discover, and JCB – then you are considered a merchant.

Based on the number of card transactions your business has in any given year, your company will be given a ‘level’ by the PCI that determines the specific requirements you will have to follow according to your bank. The levels are as follows:

  • Level 1 covers merchants that process over 6 million card transactions a year.
  • Level 2 covers merchants that process 1 million to 6 million transactions a year.
  • Level 3 covers merchants that process 20,000 to 1 million transactions a year.
  • Level 4 covers merchants that process fewer than 20,000 transactions a year.

What does PCI-DSS apply to service providers?

PCI-DSS also applies to service providers who act as third parties to process, store, or transmit sensitive cardholder data for a merchant. Any company involved in the handling or control of the data needs to follow PCI-DSS requirements to ensure the security surrounding customer’s data is watertight during the whole process.

Service providers include:

  • Web hosting companies
  • Third-party marketing companies
  • Payment processors and gateways
  • Point of sale (POS) providers
  • Transaction processors
  • Vendors that perform POS maintenance or offer managed network firewall solutions.

As with merchants, service providers are separated into different ‘levels’ based on the number of transactions they are involved in. These levels determine which requirements the provider needs to follow to remain compliant.

  • Level 1 covers service providers storing, processing, or transmitting over 300,000 credit card transactions a year.
  • Level 2 covers service providers storing, processing, or transmitting fewer than 300,000 credit card transactions a year.

Stay in the know on PCI-DSS compliance with Hicomply

If your company or organization needs to receive PCI-DSS certification, it can be daunting to know where to start and keep track. The road to compliance is long and can be overwhelming, which is why Hicomply has aimed to streamline the process.

Our full-service ISMS platform keeps all the documentation your business needs in one place, making organisation a breeze. Contact us now for more information.