Understanding The PCI Compliance Spectrum

The rules governing the PCI DSS can be complex and confusing . When coupled with the 250+ requirements, and their dependencies, it can be a daunting task to understand to which systems the standard applies, and which requirements apply under what conditions.  In training thousands of QSAs, merchants, and banks, I have developed a concept that helps (I hope) organizations understand the applicability of the PCI DSS.  This concept is called the PCI Compliance Spectrum.  Consider a spectrum like the one pictured in the graphic below.


Deconstructing the spectrum

On the far right of the spectrum is a merchant that accepts cardholder data for payment of goods or services.  In addition to directly receiving the data into their own Web-based payment application that they have developed in-house, they also store the data in a database.   Every function is managed by the organization, and nothing is outsourced.  The merchant on the far left-hand side of the spectrum also has a merchant ID that defines them as a merchant and allows them to accept payment cards as payment for goods or services.  This company, however, has elected  not to accept any payment cards, and therefore this merchant never stores, transmits, or processes any cardholder data within its environment.

Since both companies are merchants, the operating regulations of the card brands (Visa, MasterCard, etc.) mandate that both companies comply with the PCI DSS.  Understanding this, the question then becomes, what requirements apply?

Illustrating levels of compliance

The company on the far right-hand side of the spectrum will need to comply with all 12 high-level requirements, as well as all 250+ sub-requirements because they directly store, transmit, and process cardholder data within their systems.  Additionally, they develop their own payment applications in-house.  By contrast the company on the far left of the spectrum still has to comply with the PCI DSS, but there are no requirements that would apply to this specific merchant since they do not store, transmit, or process cardholder data.  The PCI DSS is clear when it says: “The PCI DSS requirements only apply if a company stores, transmits, and/or processes cardholder data.”  By not handling data, the company has reduced their compliance burden by 100 percent while still complying with the card brand rules and remaining in compliance with the standard.

Clearly the company on the far left side of the spectrum exists in theory alone.  Companies will have a  need to handle cardholder data at some level. The point is to demonstrate the concept of the compliance spectrum.  By minimizing how cardholder data is handled, companies can reduce the number of PCI requirements that apply to their environment and reduce the cost and complexity of their PCI DSS project.

If you have specific questions on PCI compliance, leave them in comments and I will be happy to answer them. If this post has helped you better understand PCI compliance, please share it with others using the social links below.
Chris Mark PCI National Practice Lead AT&T About Chris