Ultimately PCI DSS is designed to ensure that sensitive authentication data (such as the 3 digit security code on the back of a plastic card) is not stored once the card authorisation process has been completed. The card number itself also needs to be protected, usually with encryption.
The systems and processes that will need to be implemented in order to ensure that this happens will obviously vary according the nature, volume and scope of transactions that are being processed by a merchant, and of course how they are doing it. So the method of validating compliance does vary according the kind and volume of payments that are being processed.
So it makes sense that a small gift shop will not need to jump through the same kind of hoops that an international supermarket would need to in order to reassure acquiring banks (the ones that pay out the money and ultimately take all of the risk) that they are fit to process electronic card transactions.
In fact, there are 4 levels of PCI DSS compliance, and the majority of merchants will in fact fall into the lowest tier (level 4) of compliance, which is for merchants that process less than 20,000 transactions per year.
Although it is the merchant’s responsibility to register and ultimately certify themselves as compliant, the process is in fact not as arduous as many people believe. To achieve level 4 compliance, which accounts for the vast majority of merchants, it is simply a case of completing an annual Self Assessment Questionnaire (SAQ), getting a quarterly network scan by an Approved Scanning Vendor (ASV), and completing an Attestation of Compliance Form which actually forms part of the SAQ.
So although it may be of benefit to engage the services of a Qualified Security Assessor (QSA), especially if you have networks or storage centres that may transmit or hold sensitive data for a period of the transaction, this equally will not always be necessary. What is certain is that a QSA should be offering independent advice, rather than pushing merchants down the route of expensive hardware and software “solutions”, when in fact all that may be required is the simple completion of a questionnaire.
But what is also certain is that ignoring PCI DSS compliance, will end up costing you as a merchant money, if you are processing card transactions. For example, Barclaycard Merchant Services charge .15% of the value of every transaction on top of their standard charges for merchants that are not compliant.