What is required to be PCI DSS compliant?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed or transmitted, PCI DSS requirements do not apply. Therefore if your company stores or transfers the PAN (Primary Account Number) which is usually the 16 digit credit card number itself in any way, even if it is only to transmit it directly to a real-time payment gateway, or perhaps restore it in some way, then your business must be PCI DSS compliant certified in its own right.
The applicable PCI DSS criteria is as follows:
Level 1 Visa and MasterCard World Wide transactions totalling 6 million per year, and any merchants who have experienced a data breach.
Level 2 Visa and MasterCard transactions totalling 1 million to 6 million per year.
Level 3 Visa and MasterCard e-commerce transactions totalling 20 to 1 million per year.
Level 4 Visa and MasterCard e-commerce transactions totalling 1 to 20.000 per year.