09-10-2008, 11:23 AM
Quote:The requirements for PCI compliance are determined by what you do with customer credit card data and by your established merchant level. In all cases, its worth asking if you are required to be compliant with the PCI Data Security Standard at all. The PCI Security Standards Council provides a document called Navigating PCI DSS which explains The Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements and PA-DSS. If PAN is not stored, processed or transmitted, PCI DSS and PA-DSS do not apply.
Merchant X does not store or process the PAN. Their payment processing is fully handled by Volusion, who is responsible for the transmission of the PAN and associated data. Merchant X simply doesnt have access to the cardholder data at all. In other words, Merchant X is not required to be compliant with the PCI DSS because they do not store, process or transmit cardholder data electronically. The small number of telephone orders that Merchant X processes are not handled electronically.
ALTMerchant X received a D for their understanding of the requirements because they simply didnt ask about the overall applicability of PCI DSS in the first place. Additionally, Merchant X initiated an automated scan against their payment gateway, which they arent authorized to scan...
full article: http://www.practicalecommerce.com/articl...y-Retailer-