By: Prateek Rastogi

As technologies evolve, and more and more companies outsource their card payment systems, the question we receive from entities time and again as QSAs is – “We don’t store cardholder data. Is PCI still applicable to us?” 

The short answer is YES. 

The longer answer is PCI compliance applies to everyone who stores, processes or transmits cardholder data. Thus, if you are a retailer, an e-commerce portal or a service provider, and if there is any way you can impact the security of card information, then PCI compliance will apply to you. 

The good news is, depending on your merchant level (determined by your acquirer), the number of PCI controls that apply to you may be somewhat reduced, thus making it super easy to achieve, and stay, compliant.  

If you are a level