Who Does PCI DSS Apply To?

March 27, 2025

In the United States, nearly 75% of adults (190 million) have a credit card, and most Americans have four. Worldwide, there were more than 1.2 trillion individual digital payment transactions in 2023 — or 150 purchases per person. These transactions rely heavily on Payment Card Industry Digital Security Standards to protect cardholder data. Does PCI DSS apply to you and your business?

Who Must Comply With PCI DSS Requirements?

Who does PCI DSS apply to​?

The short answer is that if your business accepts credit cards, debit cards, or online payments, PCI DSS applies to you. Any company that processes, transmits, or stores cardholder data must be PCI DSS compliant. This includes physical stores with card readers, e-commerce stores with card-not-present transactions, and subscription-based business models with recurring payments.

The purpose of implementing a PCI DSS framework is to keep cardholder data secure. The rising threat — and cost — of data breaches makes PCI compliance an urgent matter for business owners. More than 10% of all cyberattacks target retailers, even hitting big-name brands like Target, Forever 21, Staples, and Neiman Marcus.

Does PCI DSS Apply To Small Businesses?

Any business that handles cardholder data must comply with PCI DSS, no matter the size. Whether you have 10 employees or 100, your team needs to know and follow data security best practices. Whether you make $50,000 a year or sell millions worth of goods, PCI DSS compliance has to be a priority.

But can small business owners really afford to spend time and money on cybersecurity? Think of it this way: Fines for PCI DSS violations generally start at $5,000 and scale to $500,000 or more. Investing in PCI DSS compliance costs small businesses far less, especially if they use secure payment processing systems.

What Companies Need To Comply With PCI DSS?

PCI DSS regulations divide businesses that need compliance into two groups: merchants and service providers.

Who Are Merchants?

In the context of the payment card industry, merchants are the businesses that accept cardholder payments. Before they can process credit card transactions, businesses have to set up a merchant account.

Here are a few examples of merchants:

  • Restaurants and coffee shops
  • Grocery stores
  • Clothing stores
  • Hardware stores
  • Car dealerships

Even many service businesses have merchant accounts these days, from general contractors and landscaping companies to dentists and chiropractors.

What Are Service Providers in PCI DSS?

What are service providers in PCI DSS?

Don’t confuse professional services (e.g., accountants) with PCI service providers. In PCI DSS compliance, service providers are organizations that process cardholder information on behalf of merchants or interact with sensitive authentication data. Service providers may store or transmit cardholder data, verify it, or manage the hardware or software used in processing.

Some examples include:

  • Banks that offer merchant accounts
  • Independent sales organizations (third-party underwriters)
  • Payment gateways
  • Payment service providers (e.g., PayPal, Stripe, and Square)
  • Software-as-a-service developers (when platforms include payment processing)

Some internet service providers host businesses that process cardholder data, which means the ISP would also need to meet PCI DSS compliance requirements. Companies that offer cloud storage or VPN services can also face similar situations.

What Are PCI DSS Merchant Compliance Levels?

At this point, you may be thinking that it’s unfair for smaller businesses to have to meet the same cybersecurity requirements as global brands. And you would be right. While PCI DSS expects your business to follow good data security practices, the compliance process varies by merchant level.

Level 4 Merchants

If your business processes fewer than 20,000 credit card, debit card, or e-commerce transactions a year, you’re a level 4 merchant. This is the foundational level of PCI DSS compliance.

You need to comply with 12 cybersecurity requirements, such as making sure only authorized users have access to processing devices and keeping antivirus programs up to date. Once a year, you have to fill out a self-assessment questionnaire.

Level 3 Merchants

A level 3 merchant handles more than 20,000 transactions annually but fewer than 1 million. Level 3 merchants also need to fill out an annual SAQ. How detailed the assessment is depends on how much direct contact your business has with cardholder data, ranging from SAQ A (the easiest) to SAQ D (the most complex).

Level 2 Merchants

Level 2 merchants process between 1 million and 6 million transactions a year. The PCI DSS requirements at this level are the same, but demonstrating compliance is often more difficult. Along with completing the SAQ, many level 2 merchants need a professionally verified Attestation of Compliance.

Level 1 Merchants

The highest merchant category in PCI DSS processes over 6 million transactions a year. Level 1 merchants have to implement strict data security controls, undergo professional audits, and submit a third-party Report on Compliance every year. The necessary PCI DSS assessment has to be carried out by a certified Internal Security Assessor or an approved Qualified Security Assessor.

What Industries Does PCI DSS Apply To?

Does PCI DSS apply to hotels?

The number of businesses that accept digital payments has increased significantly, including B2B enterprises. The following industries often deal with a high volume of credit card transactions:

  • Travel, tourism, and vacation planning
  • Retailers
  • Hotels
  • Restaurants, bars, and coffee shops
  • Hospitals and healthcare businesses
  • Wholesalers and distributors

Many of these industries are also leading targets of cyber criminals, making PCI DSS compliance even more critical.

Do You Need To Comply With PCI DSS With a Point-of-Sale System or Mobile Payments App?

High-tech payment processing solutions such as POS systems can reduce your business’s PCI DSS scope significantly. This means you shift the majority of processing tasks to a third-party provider, such as Apple Pay.

Of course, you still need to be PCI DSS compliant, but the required steps are much simpler. For example, Shopify is PCI DSS level 1 compliant, so hosted websites that use its payment tools also benefit from the same level of compliance.

Choose a Compliance Platform Designed for the Organizations PCI DSS Applies To

Complying with PCI DSS involves implementing dozens of data security policies and controls. Monitoring and automation platforms like Compyl can make your efforts more effective — and cost-effective. Learn more about the PCI DSS and who it applies to today.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies