If your organisation stores, transmits or processes credit cards you will probably have to meet some requirements of the Payment Card Industry Data Security Standard (also known as PCI-DSS). It was created by the main payment brands in 2006. Each brand used to have its own compliance program before.
Failing to be PCI Compliance may result in monetary penalties, reputational damage, revenue losses etc.
If your organisation decided to become PCI compliant whether you are a service provider or a merchant, you need to figure out what is the level your organisation should be. Merchants and Service Providers are mapped to four (4) levels based on the volume of credit card transactions the business processes on an annual basis. The level should reflect the risk ???to whom??, you should consult your acquirer or payment brand directly to determine your level and reporting requirements.
Companies that are required to undergo an audit and complete a Report on Compliance (ROC) for PCI DSS compliance. This should be assessed by an approved PCI QSA (Qualified Security Assessor). The ROC should be completed for service providers and merchants that are considered level 1. For levels 2-4, there are different SAQ types depending on the payment integration method.