Who Needs to Be PCI DSS Compliant?

Any organisation, regardless of size or number of transactions, that accepts payment by card, transmits or stores any cardholder data, or could impact the security of cardholder data is required to be PCI DSS compliant. However, your specific requirements under PCI DSS will vary depending on what type and size organisation you are; for example: a merchant, payment service provider, or financial institution. For organisations that utilise card payments, PCI DSS compliance is a responsibility to protect your organisation and customers from the increasing risk of data breaches.

In this blog, I’ll dive into who needs to comply with PCI DSS, what their requirements are and, most importantly, what happens if they don’t comply.

What Is PCI DSS Compliance?

PCI DSS is a set of requirements designed to secure card transactions against data theft and fraud. The PCI DSS was introduced by the Payment Card Industry Security Standards Council (PCI SSC) in 2006, originating from major card brands like Visa, MasterCard, American Express, Discover, JCB. More recently, UnionPay became a strategic member of the PCI SSC.

The standard comprises both technical and operational requirements and controls for organisations who store, process, or transmit cardholder data (CHD), and for service providers (organisations who enable companies to process card payments, or could impact the security of CHD if compromised). Compliance demonstrates a robust payments ecosystem with controls implemented according to risks within the payment lifecycle.

Service providers include companies directly supporting payments such as payment gateways or payment service providers, as well as those that control or could impact the security of CHD including hosting providers, managed service providers supporting servers or network controls, and similar.

Who Must Be PCI DSS Compliant?

As Qualified Security Assessors (QSAs), we are regularly asked this question by organisations we work with. As answered above, you may be required to be PCI DSS compliant if you satisfy any of the following criteria:

• You accept payment by card
• You transmit or store any cardholder data
• You could potentially impact the security of cardholder data

Let’s have a more detailed look at the types of organisations that are required to comply with PCI DSS.

Merchants

Merchants are the primary organisations required to achieve and maintain PCI DSS compliance. Any organisation that accepts card payments into bank accounts that they own, whether it's through physical retail locations, e-commerce websites, mobile platforms, or over the phone, falls under this category.

Merchants are categorised into levels based on the total number of card transactions they process annually:

• Level 1: Over 6 million annual transactions.
• Level 2: 1 - 6 million annual transactions.
• Level 3: 20,000 - 1 million annual transactions.
• Level 4: Less than 20,000 annual transactions.

Level 1 merchants have a higher likelihood of payment card fraud due to their volumes and are required to engage a QSA to complete a formal assessment and capture the results within a Report on Compliance (RoC) template.

Level 2 merchants typically report compliance with a Self-Assessment Questionnaire (SAQ) completed by an Internal Security Assessor (ISA) or via a QSA-led assessment if the merchant has not employed an ISA or is required to by their Acquirer.

Level 3-4 merchants may be eligible to report compliance by completing a SAQ, although the merchant’s acquiring bank may require them to submit a SAQ that has been validated and countersigned by a QSA for further assurance.

Even small or micro-organisations, such as sole traders or local boutique shops, must be PCI DSS compliant, regardless of their transaction volume; however, this isn’t as onerous as it sounds!

Payment Service Providers

Payment processors and gateways (organisations that provide services such as processing payments on behalf of merchants or third-party payment solutions such as PayPal or Stripe) are required to achieve and maintain PCI DSS compliance as their security operations have a direct impact on customer CHD security.

Financial Institutions

Organisations that issue payment cards or manage cardholder data (including banks and credit unions) must also achieve and maintain PCI DSS compliance in order to demonstrate the integrity of their payment systems and adequately protect CHD.

Hosting Providers

Organisations who store CHD for their clients (such as hosting or cloud service providers) must achieve and maintain PCI DSS compliance in order to demonstrate secure storage of customer data. This includes organisations who only store, but do not process CHD.

Call Centres and Business Process Outsourcing (BPOs)

Organisations that accept or process CHD over the telephone (even if on behalf of other organisations) must comply with PCI DSS. In this case, they would be required to follow the same standards as merchants and/ or payment processors.

Other Entities

Software developers, hardware manufacturers and other security-impacting service providers that can impact cardholder data security are also subject to PCI DSS compliance.

The Penalties for Non-Compliance

Non-compliance with PCI DSS can result in serious consequences for organisations, such as:

Fines and Penalties

Organisations can be hit with substantial fines from card brands and their acquiring banks, typically ranging from £4,000 to £80,000 per month until they are assessed as compliant. Acquirers may impose additional penalties, such as increasing the merchant’s transaction fees or even terminating the relationship altogether. Additional fines may also be imposed for repeat violations, and any data breaches that occur from their lack of security.

Increased Liability

In the unfortunate event of a data breach, organisations may be held financially responsible (by the likes of the Information Commissioners Office, ICO) for any fraudulent transactions or related damages that occurred as result of the breach, as well as the costs to remediate and revalidate compliance.

Loss of Custom

Reputational damage, loss of customer trust, and ultimately, the loss of business can result following a data breach. Organisations can also have the ability to accept card payments removed by their acquiring banks, forcing customers to go elsewhere for goods and services.

Legal and Regulatory Consequences

Depending on the severity of a data breach, organisations could face legal proceedings or action from regulatory bodies such as the ICO.

Key Messages for Organisations

So, we’ve looked at what PCI DSS is, who it applies to, and the consequences of non-compliance. Below is a quick roundup of all the important parts:

• Size doesn’t matter: Whether you're a sole-trader, startup or an international organisation, if you store, process, or transmit cardholder data, you must comply with PCI DSS.
• Trust is currency: Compliance with standards such as the PCI DSS demonstrates to your customers that your organisation takes their security seriously, leading to trust, loyalty and ultimately, income.
• It’s about evolution: PCI DSS compliance isn’t a one-time tick-box activity. It’s essential to make ongoing improvements, maintenance and annual assessments to ensure your security practices evolve as soon as threats do.