One of the questions we get asked a lot is “Where it says that someone has to be PCI compliant?”
To understand the answer to this, first we have to understand how the responsibilities are set out.
Who Sets the Rules?
First, the PCI Security Standards Council (or PCI SSC) sets out the rules. They are made up of the five major card issuing brands (American Express, Discover, JCB, MasterCard, and Visa). They set the standards, and define what makes someone a service provider or a merchant. And that’s the first place where we see who PCI DSS applies to: