There are two kinds of entities that require enforcement of PCI standards: the 'merchants' and the 'service providers'. The merchants are defined as the ones who either have a physical shop with a POS (point of sale) device to accept credit cards, or alternately, have an online shop. Each of them are issued a merchant ID. Think of the service providers like gateways or credit card processing companies that handle all the actual processing, storage, transmission and switching of transaction and cardholder data. They also help smaller merchants handle their transactions.

The PCI SSC along with the credit card companies, have created four levels of standards based on the risk involved with the merchants and service providers.

The merchants and service providers have to make sure that the security they have running on their systems is based on their respective level standard, which is categorized by the number card transactions they handle on an annual basis.

An example of Levels for Visa Card merchants is:

Level 1: More than 6 million transactions per year