The Payment Card Industry Data Security Standards for Who Should Be PCI Compliant.

Entities That Need to Be PCI Compliant

Any entity that stores, transmits or processes cardholder data must comply with the PCI Data Security Standard (DSS). These include vendors, security consulting companies and merchants of any size accepting payment cards. This category also includes Data Centers that handle PCI data through services like shared hosting, secure server hosting and cloud hosting. The PCI DSS is also meant to act as a guide for software developers, application manufacturers and device manufacturers that play a role in those data transactions.

PCI Compliance for Other Entities

There are, of course, plenty of entities whose use of cardholder data does not fit squarely within the definitions of merchants, vendors and consulting companies. Call center audio recordings, merchants responsible for data on a device application, and even merchants that outsource payment operations without storing or processing cardholder data may all need to clarify their specific PCI DSS compliance requirements. Ultimately, entities should check with their acquirers or payment brands to find out what is required of them to maintain PCI compliance.

Providing Proof of PCI Compliance

Proof of PCI DSS compliance by these entities must be submitted to the individual acquiring bank and global payment brands with whom they work. The type of proof may vary from business to business, depending on the size of the business and the nature of the business’s data transactions. There are two types of assessments that are pre-approved by payment brands: templates provided by the PCI Security Standards Council (SSC), and assessment programs completed by independent experts: Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). A business may also choose to complete Self-Assessment Questionnaires, or SAQ, which is a validation tool for entities not required to complete on-site assessments.