RE: Is PCI Compliance Mandatory

["Palmer, Mark" <mpalmer () hoovers com>]

Quoting the PCI's Data Security Standards v1.1:

"PCI DSS requirements are applicable if a Primary Account Number (PAN)
is *stored*, *processed*, or *transmitted*. If a PAN is not stored,
processed, or transmitted, PCI DSS requirements do not apply."

Just because you are not storing the card number does not necessarily
exclude you from the scope of PCI DSS.  I'd suspect your organization
might be transmitting card holder data.  If true, then PCI-DSS apply.
But that's a decision you and your company's management team must make.


There are other items to consider:

1) What level merchant are you?  Ask your acquiring bank for this
information.
2) How does your company manage risk?
3) What payment application are you using? Is it on the list of
Vulnerable Payment applications?
4) Is your payment vendor compliant?  What are you doing to ensure they
are compliant?
5...) Lots more questions go here....

Working with your acquiring bank is the best place to start.  They will
be able to provide you additional guidance.  Depending on what the
acquiring bank requires from your organization, you may want to consider
some consultation.  Consulting is not a requirement, but may help jump
start a company's PCI efforts.  

Remember, PCI compliance is not a project; it is an ongoing effort to
validate your organization's effort (or lack thereof) to secure and
protect card holder data.     

Mark Palmer