Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

To whom does PCI DSS Apply?

Created by the PCI Security Standards Council (PCI-SSC), the Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards meant to protect payment transaction systems from security issues and breaches.

What does PCI-DSS apply to?

These standards apply to a great number of businesses and organisations involved in processing cardholder data, and there are consequences if your company is found to be non-compliant.

Who does PCI-DSS apply to?

PCI-DSS compliance is mandatory for any business or organisation responsible for storing, transmitting, or processing any cardholder data. This covers a wide range of different entities and industries, so it’s important to make sure that your organisation remains compliant with the requirements.

Most businesses involved are merchants, issuers, acquirers, and processors. Essentially, PCI-DSS applies to you if you accept credit, debit, or prepayment cards in any way, regardless of whether you store the data.

Equally, if your company collects sensitive authentication data that falls under data retention requirements, you will also need to be PCI-DSS compliant. The PCI-DSS protects cardholder data including CVV, Card Number, PAN, and other pieces of vulnerable information that a hacker could gain access to.

If your company is cloud-based and uses third-party vendors to outsource payment card processing, it’s important to ensure that both the payment process and the third parties are aware of the PCI-DSS compliance requirements. It’s worth noting that, when applied properly, this process does reduce the risk of a breach.

Is PCI-DSS compliance mandatory?

It doesn’t matter whether your business is an enterprise or a big organisation – if you handle card data in your processes, you are required by contract to be PCI-DSS compliant. The contract is usually provided by credit card businesses that require compliance to reach an agreement. This is non-negotiable, and if your company is found non-compliant, then you may face one of the PCI-DSS fines and penalties.

What does PCI-DSS apply to merchants?

If your business accepts credit cards from one of the core five credit card companies – American Express, Visa, Mastercard, Discover, and JCB – then you are considered a merchant.

Based on the number of card transactions your business has in any given year, your company will be given a ‘level’ by the PCI that determines the specific requirements you will have to follow according to your bank. The levels are as follows:

  • Level 1 covers merchants that process over 6 million card transactions a year.
  • Level 2 covers merchants that process 1 million to 6 million transactions a year.
  • Level 3 covers merchants that process 20,000 to 1 million transactions a year.
  • Level 4 covers merchants that process fewer than 20,000 transactions a year.

What does PCI-DSS apply to service providers?

PCI-DSS also applies to service providers who act as third parties to process, store, or transmit sensitive cardholder data for a merchant. Any company involved in the handling or control of the data needs to follow PCI-DSS requirements to ensure the security surrounding customer’s data is watertight during the whole process.

Service providers include:

  • Web hosting companies
  • Third-party marketing companies
  • Payment processors and gateways
  • Point of sale (POS) providers
  • Transaction processors
  • Vendors that perform POS maintenance or offer managed network firewall solutions.

As with merchants, service providers are separated into different ‘levels’ based on the number of transactions they are involved in. These levels determine which requirements the provider needs to follow to remain compliant.

  • Level 1 covers service providers storing, processing, or transmitting over 300,000 credit card transactions a year.
  • Level 2 covers service providers storing, processing, or transmitting fewer than 300,000 credit card transactions a year.

Stay in the know on PCI-DSS compliance with Hicomply

If your company or organization needs to receive PCI-DSS certification, it can be daunting to know where to start and keep track. The road to compliance is long and can be overwhelming, which is why Hicomply has aimed to streamline the process.

Our full-service ISMS platform keeps all the documentation your business needs in one place, making organisation a breeze. Contact us now for more information.