PCI DSS, the Payment Card Industry Data Security Standard is a standard that regulates how companies can handle sensitive customer payment information. Compliance with PCI DSS is mandated by the five major credit card brands (Visa, MasterCard, American Express, Discover and the Japan Credit Bureau).
PCI DSS compliance is not a federal law. However, several US states have enacted it as a law. But, even if you are not doing business in such a state, the contractual agreements between you and the merchant services provider will likely require you to be PCI compliant. Those contracts will also list penalties, usually in the high four to five digits.
Your bank might also have to pay penalties because of your actions. Those penalties will likely have to be paid by you as well.
Finally, if you are found to be non-compliant, you might end up on a blacklist, preventing you from ever accepting any credit card again. That is in most cases a death sentence for your business.
So, if you are required to adhere to the standard, it is in your very best interest to actually do so. But, what type of businesses are required to be PCI DSS compliant?
Let me ask you a simple question: Do you offer goods or services that customers can pay for using their credit card?
If you answered "yes" to this question, your business is required to be PCI DSS Compliant. Period.
It is not important if you are collecting the credit card numbers yourself, or if you are using an outsourced credit card processor. It is not important if you have ten or ten billion USD yearly revenue. It is not important if you have 60 million customers or just one.
If you can receive money through any means that involves a customer's credit (or debit) card, your business has to be PCI DSS compliant.
Being compliant can be expensive. However, non-compliance can be even more expensive - to you, to your bank and even to your customers. Some violations might even land you on a credit card black list, preventing you from accepting credit cards in the future.
It is in your own best interest to take the steps necessary and become PCI DSS compliant now.