Do I need PCI Compliance?


The Payment Card Industry Data Security Standard (PCI DSS) applies to any company that stores, processes or transmits cardholder information. Regardless of size, if a business fits into that description it must be PCI DSS compliant to avoid fines and continue to accept payment cards.

Cardholder data is defined as the primary account number (PAN) in conjunction with cardholder name, expiration date, or service code. Additionally, PCI requires business who collect sensitive authentication data to be compliant. Sensitive authentication data includes, but is not limited to, card validation codes/values, track data from a magnetic stripe or card chip, PINs, PIN blocks, or any other information used to authenticate cardholders or authorize payment card transactions.

PCI established four levels of compliance. Each of these levels is based on the amount of cards processed per year. Level 1 is for merchants processing over 6 million Visa and/or Mastercard transactions per year. Level 2 is for merchants processing between 1 million and 6 million Visa and/or Mastercard transactions per year. Level 3 is for merchants processing between 20,000 and 1 million Visa and/or Mastercard transactions per year. Level 4 is for merchants processing less than 20,000 Visa and/or Mastercard transactions per year.

Any point-of-sale technology (including websites), line-busting technology, or WLAN used to store, process, or transmit cardholder data falls under the compliance requirement. If a business chooses to outsource the PCI DSS compliance to a third-party the merchant is responsible for oversight and vendor management to ensure continuous compliance with the standard.

Ecommerce merchants must use PCI DSS validated third parties if they choose to outsource payment processing. Additionally, they need to ensure that no electronic storage, processing, or transmission of cardholder data remains on their systems or premises.

Merchants who only use imprint machines with no electronic cardholder data storage and/or who use standalone dial-out terminals with no electronic cardholder data storage should also consider PCI DSS compliance.

Merchants using standalone, PTS-approved terminals that connect to a payment processor using an IP address need to review their individual compliance requirements.

In cases where the merchant manually enters individual transactions on a keyboard into an internet-based terminal solution, the business needs to review the PCI DSS validated third party for compliance.

If a merchant uses a payment system connected to the internet with no electronic cardholder data stored, they need to incorporate PCI DSS compliance.

Some merchants only use hardware payment terminals included in and managed by a validated PCI SSC-listed P2PE solution, and they must be compliant and ensure their vendor is compliant.

Service providers, defined as business entities that are not payment brands but process, store, or transmit cardholder data on behalf of another entity must be PCI DSS compliant. Service providers may include but are not limited to businesses that provide managed firewalls, IDS, or hosting services.