I have never had to deal with PCI DSS because we don’t process Credit Card data. I would check the PCI organization website. Some info Below:
PCI Data Security Standard (PCI DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you
How to Comply with PCI DSS PCI DSS applies to merchants and other entities that store, process, and/or transmit cardholder data. While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing selfassessments and when to engage a QSA. Depending on an entity’s classification or risk level (determined by the individual payment card brands), processes for compliance usually follow these steps: 1. Scope – determine which system components and networks are in scope for PCI DSS 2. Assess – examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement 3. Report – assessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls 4. Attest – complete the appropriate Attestation of Compliance (AOC) 5. Submit – submit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers) 6. Remediate – if required, perform remediation to address requirements that are not in place, and provide an updated report.