Does PCI DSS apply to me?

The PCI DSS applies to you if your organisation stores, processes or transmits cardholder data (including manually processed and stored cardholder information). You might even be accidentally storing cardholder data (e.g. receipts from card machines, or emails that contain cardholder details) in a way the Standard does not allow, therefore putting yourself at risk.

PCI DSS compliance applies to your whole cardholder data environment, including any third parties you use that store, process or transmit cardholder data, or that impact the security of cardholder data. These third parties may include the following:

  • Resellers
  • Till vendors
  • Epos vendors
  • Software application providers
  • Payment service providers
  • Payment processing bureaux
  • Data storage providers
  • Web hosting providers
  • Shopping cart providers
  • Software vendors 

You can only achieve compliance if your (in scope) third parties are also compliant. You prove the compliance of your third party suppliers by asking for their compliance certificate and including it in your self-assessment. Read more on third party compliance.

If you’re choosing which third party suppliers to use, Visa Europe and Mastercard have independent lists of Third Party suppliers which might be useful: