An interesting discussion that I have been having of late, is the fact that many people do not really comprehend the difference between PCI-DSS compliance and validation requirements. Here it is in a nutshell:

Compliance: Everyone has to be compliant to 100% of the PCI-DSS standard 100% of the time, regardless of “level”. There is NO distinction between a level 1 and a level 4 in terms of their compliance requirements.

Validation: A set of things “to do” to assure to another that you are compliant. Typically based on transaction volume and/or type of organization (i.e., service provider, gateway, merchant, etc.). Validation is where the terms level 1,2,3,4 are used. There are different requirements, defined by card brand or acquirer, that must be done for different levels. It should be noted that the existence of the PCI Security Council is a step at making the validation requirement consistent through out the industry.

So, everyone who “stores, processes, or transmits cardholder data” is required to be 100% compliant 7×24, however depending on their business, the validation requirements differ.

The analogy I like to use it speed limit. The law says that you have to “comply” with the speed limit. However, there is only periodic “validation” of that compliance. Not the best analogy, but it gets the point across. So when a level 4 asks me “do I really have to be compliant with 12.1”, the answer is “YES!”. The real question is, what does it mean to be compliant? For my thoughts on that see my previous post on selecting QSA.