PCI compliance refers to compliance with the requirements of the Payment Card Industry Data Security Standard by any business entity that has a Merchant ID and processes credit cards from the major brands. PCI compliance standards are enforced by the payment brands, not the PCI council, and they apply to all organizations that handle cardholder data. A merchant typically deals with his merchant bank when implementing compliance requirements.
A merchant is usually awarded a compliance level based on the number of transactions processed in a year; the levels vary from 1 to 4. Level 1 is the highest and is awarded to merchants that process over 6 million transactions, while 4 is the lowest level at 20,000 transactions per year. Small- to medium-sized enterprises may satisfy the PCI-compliance requirements by completing the Self Assessment Questionnaire. An SME must also pass a vulnerability scan by a PCI Council-approved scanning vendor, complete the Attestation of Compliance form, and submit the complete SAQ. Having an SSL certificate is not equal to being PCI-compliant since it doesn't eliminate the vulnerability of a merchant website to malicious attacks. As of 2014, acquiring banks may be fined between $5,000 and $100,000 per month for any violations of PCI compliance.