Myth: PCI Does Not Apply to My Organization. We Have Outsourced Everything. We do Not Store or Process any Credit Card Data
PCI DSS applies to any organization that store, process or transmit cardholder data. PCI applies to any organization that accepts credit card for payment even if the number of transactions is just one card. PCI compliance is required of these organizations to keep cardholder data safe from hackers and fraudsters. Three things to keep in mind:
Destroying the credit card data immediately after processing it does not exempt you from PCI compliance – your processes and policies, around access to, retention and destruction of the data will still need to be validated.
Entering credit card information directly into an online application or virtual terminal for processing is considered transmitting the cardholder data even if the application is provided by a third party.
Outsourcing all your credit processing, storing and transmission does not exempt you from compliance either – you still need to validate the processes you have around paper receipts with cardholder data, the reports you get from your service provider and agreements you have signed with them.
Separate from the mandate to comply with the PCI Standard, is the mandate to validate compliance. Your business processes determines what you have to do to demonstrate or validate compliance and therefore the SAQ validation type that you complete. You may only have to answer a few questions or over 200 questions depending on the SAQ version that is appropriate for your organization.
It is important to work with your PCI consultant and your Acquirer to determine the SAQ type that is applicable to your organization.