It is often asked if this organization should be PCI Compliant. Many conferences include a discussion around the topic of Who should be PCI compliant.

PCI DSS is applicable to all organizations who store, process or transmit account data. Extract from the PCI Standard tells us that the account data consist of cardholder data plus Sensitive Authentication Data

Cardholder data includes:

• Primary Account Number (PAN)
• Cardholder Name
• Expiration Date
• Service Code

Sensitive Authentication Data includes:

• Full magnetic stripe data or equivalent on a chip
• CAV2/CVC2/CVV2/CID
• PINs/PIN blocks

If the PAN is stored, processed or transmitted then the PCI DSS requirements are applicable to the organization. However, if the PAN is not stored, processed or transmitted PCI DSS requirements do not apply.

This provides clarity on whether or not your organization falls under the PCI DSS requirement and weather you should be PCI Compliant.