Q:
My company is a small merchant that does limited payment card transactions. Do I need to make sure we are compliant with the Payment Card Industry Data Security Standard (PCI DSS)?
A: Yes, all merchants (defined as any entity that accepts payment cards bearing the logo of any of the five members of Payment Card Industry Security Standards Council (PCI SSC) as payment for goods and/or services), regardless of size, need to be PCI compliant.
The PCI DSS is a worldwide information security standard that was created by the PCI SSC. The PCI SSC consists of American Express, Discover, JCB, MasterCard and Visa.
These five members collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. It represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.
The PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards.
For noncompliance, each individual payment brand has their own compliance initiatives. These include financial or operational consequences. Your company must contact the individual payment brand for information regarding the validation requirements and deadlines, as well as compliance reporting requirements and any noncompliance consequences.