Pretty much everyone is aware of PCI these days. The Payment Card Industry Data Security Standard (PCI DSS) is one of the most detailed information security standards out there and in most cases has elevated the level of security within organizations.
Though the PCI DSS is made up of only 12 main requirements, they are divided into over 200 subrequirements, all of which must be satisfied in order to be considered fully compliant. Over 200 subrequirements! All of which must be satisfied to be compliant!
Anyone who is transmitting, storing, or processing credit cards must comply with the 200 subrequirements of the PCI DSS. I don’t know how to state it more plainly.
If you notice, I haven’t mentioned anything about your merchant level or service provider level yet. That’s because it doesn’t matter – everyone needs to comply with ALL of the standard. Unbelievably, I’ll be talking with a merchant level 3 or 4, that thinks that all they need to do is vulnerability scanning and check off the boxes on their SAQ (self assessment questionnaire). Well, that satisfies one subrequirement, but what about the rest of them?
The various merchant level buckets are merely there to provide validation requirements. You may be required to have an on-site validation assessment or you may do a self assessment questionnaire. Either way, all the 200+ sub-requirements of the PCI DSS apply to everyone.
If you do suffer a breach at some point, you will be very glad you were fully compliant to the PCI DSS. There is much to be said for safe harbor.
Nancy Sykora
Sr. Account Executive