To satisfy the requirements of PCI, a Merchant must do two things: Comply with the Data Security Standard (by meeting all of the requirements laid out in the Data Security Standard), and Validate their compliance. This means the Merchant must SHOW (in a manner appropriate to their size and situation) that they are complying with
PCI is not, in itself, a law: the standard was put together by business organizations including Visa, MasterCard, and the other major card companies. Merchants that do not comply with PCI DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the
PCI applies to ALL organizations or Merchants, regardless of size, that accept, transmit, or store any payment card information. In other words, if any customer of that organization ever pays using a credit card or debit card, then the PCI DSS requirements apply.
PCI DSS stands for 'Payment Card Industry Data Security Standard'. This is a set of security requirements created by the Payment Card Industry, laying out what Merchants need to do to protect customer information. The PCI Council (which is an industry body made up of organizations like Visa, MasterCard, American Express, Discover, etc.) requires that