00) Does your organisation process, store, or transmit online cardholder data?
PCI DSS Scoping
Written by Haydn Brooks
Created on March 21, 2019
Modified on August 27, 2019

Answer yes if your organisation owns infrastructure that accepts, processes, stores, or transmits credit card information. If you accept card payments through a third-party, such as PayPal or Stripe, and card information does not touch your servers, answer no.

The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payments, and store, process and/or transmit cardholder data, you need to host your data in a PCI DSS compliant manner.

If you accept card payments through a third-party, such as PayPal or Stripe, and the card data does not get stored on your IT systems, you can answer no to this question.