Who Needs to Be PCI Compliant?

Who Needs to Be PCI Compliant?

  • June 30, 2022

In 2019, there were 39.6 billion card transactions in the U.S. alone, and, over 80% of consumers prefer to pay with a card over cash. 

This rise in card transactions led to the introduction of the Payment Card Industry Data Security Standard (PCI DSS). The standard aims to protect card information and prevent unauthorized usage. 

If you’ve ever wondered, “who needs to be PCI compliant?” the answer is any business that accepts debit or credit card payments — much like the businesses engaging in the 39.6 billion transactions highlighted above. 

While that explanation seems simple, there’s a whole lot more to PCI compliance than meets the eye. 

Below, we cover when PCI compliance is required, exactly what types of businesses it applies to, and what happens if you’re not compliant. 

Quick review: What is PCI DSS compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is mandated by credit card companies to keep cardholder data safe. The standard provides guidelines for storing, transmitting, and processing card payments securely. 

These security guidelines are outlined within the 12 PCI DSS requirements. Each requirement must be met in order to achieve PCI compliance. 

The 12 PCI DSS requirements:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks 
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

Is PCI compliance required?

Yes. PCI compliance is required for any business that processes, stores, or transmits cardholder data — regardless of the size and scale of your business. 

A small business that handles 100 card transactions a year must comply with PCI DSS, just like an enterprise-level business that handles 1 million transactions. 

However, PCI compliance for a small business will look a bit different from an enterprise-level organization. We’ll dig into these differences below.  

Who does PCI DSS apply to?

PCI DSS applies to any organization that accepts, handles, stores, or transmits cardholder data. The standard also applies to any organization that impacts the handling, storage, or transmission of cardholder data. 

Simply put, PCI DSS applies to any business that accepts credit and debit card payments.

The PCI DSS standard splits businesses into two main categories: merchants and service providers. We discuss the differences between the two below. 

PCI DSS for merchants

A merchant is any business that accepts payments with a card bearing the logo of any of the five major credit card companies: American Express, Visa, Mastercard, Discover, and JCB. 

The steps for complying with PCI DSS will vary depending on which of the four PCI compliance levels your business falls under. These levels are determined by the number of card transactions your business handles in a given year. 

Here’s a breakdown of the merchant compliance levels:

  • Level 1: Merchants that process over 6 million card transactions annually
  • Level 2: Merchants that process 1 million to 6 million transactions annually
  • Level 3: Merchants that process 20,000 to 1 million transactions annually
  • Level 4: Merchants that process fewer than 20,000 transactions annually

PCI DSS for service providers

A service provider is directly involved with processing, storing, or transmitting cardholder data on behalf of a merchant. 

A company that provides services that control or could impact the security of cardholder data is also considered a service provider. 

Common examples of service providers include:

  • Payment processors
  • Managed point of sale (POS) providers
  • Transaction processors
  • Payment gateways
  • Web hosting companies
  • Third-party marketing firms
  • Vendors that perform POS maintenance
  • Vendors that offer managed network firewall solutions

There are two compliance levels for service providers, which are determined by the number of transactions they store, process, or transmit. 

  • Level 1: Service providers that store, process, or transmit more than 300,000 credit card transactions annually
  • Level 2: Service providers that store, process, or transmit fewer than 300,000 credit card transactions annually

Your service provider level dictates the reporting requirements you will need to prove compliance. For example, a Level 1 service provider will undergo annual audits conducted by a QSA to prove compliance, while a Level 2 service provider will complete an annual SAQ D. 

What happens if you’re not PCI compliant?

There are a few consequences for businesses that fail to comply with PCI DSS. 

Most notably, you could lose the ability to accept card payments. Your acquirer (aka your acquiring bank) could choose to terminate your relationship, leaving you unable to accept card payments. 

Businesses may also face non-compliance fines and an increase on transaction fees. 

Another potential consequence of non-compliance is a data breach. Since PCI DSS requires businesses to maintain security controls to keep cardholder data safe, non-compliance could mean that cardholder data is vulnerable to a breach. 

If your business experiences a cardholder data breach, you may be required to follow validation requirements for a higher compliance level. For example, if a Level 4 business experiences a data breach, they may be required to follow the reporting steps of a Level 1 merchant, which is a much more stringent process.

How Secureframe can help you achieve PCI compliance 

Becoming PCI compliant is no easy task. 

Our team can help you navigate the 300-plus security controls and 12 requirements to achieve and maintain PCI compliance and lift some of the burden of compliance from your team’s shoulders. 

Request a demo to find out more today. 

Become a security expert

Get the latest articles on startup security and compliance best practices delivered straight to your inbox.

Get a Secureframe demo
subscription-logo