Businesses that do not comply with PCI face penalties and violations, as well as less tangible consequences like the loss of customer trust.

To avoid these consequences, it’s essential you understand if your business falls within the scope of PCI DSS.

Who does PCI DSS apply to?

PCI DSS applies to any business that accepts, handles, stores, or transmits cardholder data. The standard also applies to any organization that could impact the security of cardholder data. 

The PCI DSS standard splits businesses into two main categories: merchants and service providers. We discuss the differences between the two below. 

PCI DSS for merchants

A merchant is any business that accepts payments with a card bearing the logo of any of the five major credit card companies: American Express, Visa, Mastercard, Discover, and JCB. 

The steps for complying with PCI DSS will vary depending on which of the four PCI compliance levels your business falls under or the specific requirements from your acquiring bank. These levels are determined by the number of card transactions your business handles in a given year. 

Here’s a breakdown of the merchant compliance levels:

  • Level 1: Merchants that process over 6 million card transactions annually
  • Level 2: Merchants that process 1 million to 6 million transactions annually
  • Level 3: Merchants that process 20,000 to 1 million transactions annually
  • Level 4: Merchants that process fewer than 20,000 transactions annually

PCI DSS for service providers

A service provider is directly involved with processing, storing, or transmitting cardholder data on behalf of a merchant. 

A company that provides services that control or could impact the security of cardholder data is also considered a service provider. 

Common examples of service providers include:

  • Payment processors
  • Managed point of sale (POS) providers
  • Transaction processors
  • Payment gateways
  • Web hosting companies
  • Third-party marketing firms
  • Vendors that perform POS maintenance
  • Vendors that offer managed network firewall solutions

There are two compliance levels for service providers, which are determined by the number of transactions they store, process, or transmit. 

  • Level 1: Service providers that store, process, or transmit more than 300,000 credit card transactions annually
  • Level 2: Service providers that store, process, or transmit fewer than 300,000 credit card transactions annually

Your service provider level helps dictate the reporting requirements you will need to prove compliance. For example, a Level 1 service provider will undergo annual audits conducted by a QSA to prove compliance, while a Level 2 service provider will complete an annual SAQ D.