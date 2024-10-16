Any business handling financial transactions is a target for cybercriminals, who follow the money. Ecommerce losses due to online payment fraud are expected to reach more than US$48 billion worldwide by the end of 2023. The PwC Global Economic Crime and Fraud Survey 2022 found that more than half of respondents experienced financial fraud over the previous two years. According to the Verizon 2023 Data Breach Investigations Report (DBIR), in the financial sector, privilege misuse is behind most data breaches.

Since the PCI DSS standard applies to any organization that accepts, processes, stores, or transmits cardholder data, the following types of organizations must demonstrate compliance with the standard:

Merchants of all sizes

Financial institutions

Payment processors, both hardware and software-based

Point-of-sale (POS) vendors

Examples of organizations impacted by PCI DSS include the following:



Small merchants and retailers

Small and medium-sized businesses (SMBs) are as much at risk of a serious data breach as their larger counterparts. According to the 2022 DBIR, 61% of SMBs experienced at least one data breach. Small merchants must comply with the tenets of PCI DSS, under which there are four merchant compliance levels:

Level 1: Process over 6 million card transactions annually

Level 2: Process 1 to 6 million transactions annually

Level 3: Process 20,000 to 1 million transactions annually

Level 4: Process fewer than 20,000 transactions annually

Small merchants must ensure that security is approached as a comprehensive exercise: ensuring that their IT systems are protected using firewalls, implementing robust access controls, and encryption is applied to cardholder data. To achieve and simplify this level of 360-degree security, SMBs should look for solutions that can secure data, devices, and people.

Service providers

A service provider is any business that could impact payment data security, even belonging to another organization. PCI DSS has two levels of compliance that depend on the transaction levels handled by the service provider:

Level 1 Service Provider: 300,000 or more transactions per year (2.5 million or more transactions for American Express)

Level 2 Service Provider: Less than 300,000 transactions per year (less than 2.5 million transactions for American Express)

As with SMB merchants, service providers must abide by PCI DSS security measures and controls.