Who Must Comply?
Any company that processes, stores, or transmits credit card data must comply with the PCI Data Security Standard. PCI has grouped companies by their types as well as how many transactions they process. Using these groupings, the PCI has assigned levels, from largest (Level I) to smallest (Level IV). Merchants are companies that conduct business, either online or in traditional “brick-and-mortar” fashion. Service providers (and payment gateways) are companies that facilitate transactions on behalf of merchants and acquiring banks. Based on their level, a company must perform a series of tasks to substantiate its compliance with PCI. The follwing table summarizes these tasks.
PCI Data Security Standards
Regardless of transaction volume and the steps required to demonstrate compliance, all companies must adhere to the PCI Data Security Standard (PCI-DSS). The following table summarizes key provisions of these standards.