As the PCI DSS matured, it also expanded its scope. Today, virtually any business that handles cardholder data must comply with PCI DSS. Specifically, PCI DSS applies to all entities (merchants and service providers) involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.
Unfortunately, the authors and sponsors of the PCI DSS are very similar to government lawmakers: they do not make rules that are crystal clear and easy for most people to understand and support. Many businesses in the world are small and medium sized sized , and their core competency is not information technology, information security, or compliance. Consequently, most companies do require help from professionals who are PCI DSS specialists and can help the client develop and implement a compliance plan. The good news is that they find many potential choices. Also, the good news is the fact that the PCI DSS compliance validation requirements are less strict for companies that do a small volume of credit card transactions annually, while larger companies have stricter guidelines and must adhere to additional testing and validation procedures.