Who Does PCI DSS Apply To?
The Payment Card Industry Data Security Standard (PCI DSS), established by the Payment Card Industry Security Standards Council (PCI SSC), globally applies to any company that stores, processes or transmits cardholder information. Regardless of size, if a business fits into that description it must be PCI DSS compliant to avoid fines and continue to accept payment cards. The PCI Security Council’s founding member include card brands such as American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc.
Cardholder data is defined as the primary account number (PAN) in conjunction with cardholder name, credit card expiration date, or its service code. Additionally, PCI requires business who collect sensitive authentication data to be compliant. Sensitive authentication credit card data includes, but is not limited to, card validation codes/values, track data from a magnetic stripe or card chip, PINs, PIN blocks, or any other information used to authenticate cardholders or authorize payment card transactions.
The standard established four levels of PCI compliance surrounding information security. The different levels define the physical access, anti-virus software, security systems, public networks, and network resources controls necessary to maintain compliance. To be PCI compliant, merchants must complete a self-assessment questionnaire (SAQ) and have Qualified Security Assessor (QSA) audit the controls’ adequacy to mitigate data breaches.
Any point-of-sale technology (including websites), line-busting technology, or WLAN used to store, process, or transmit card information holder data falls under the compliance requirement. If a business chooses to outsource the PCI DSS requirements to a third-party the merchant is responsible for oversight and vendor management to ensure continuous compliance with the standard.
E-commerce merchants must use PCI DSS validated third parties if they choose to outsource payment processing to secure systems. Additionally, they need to ensure that no electronic storage, processing, or transmission of cardholder data remains on their systems or premises.
Merchants who only use imprint machines with no electronic cardholder data storage and/or who use standalone dial-out terminals with no electronic cardholder data storage should also consider becoming PCI DSS compliance.
Merchants using standalone, PTS-approved terminals that connect to a payment processor using an IP address need to review their individual compliance requirements.
In cases where the merchant manually enters individual transactions on a keyboard into an internet-based terminal solution, the business needs to review the PCI DSS validated the third party for compliance.
If a merchant uses a payment system connected to the internet with no electronic cardholder data stored, they need to incorporate PCI DSS compliance.
Some merchants only use hardware payment terminals included in and managed by a validated PCI SSC-listed P2PE solution, and they must be compliant and ensure their vendor is compliant.
Service providers, defined as business entities that are not payment brands but process, store, or transmit cardholder data on behalf of another entity must be PCI DSS compliant. Service providers may include but are not limited to businesses that provide managed firewalls, IDS, or hosting services.