PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

This is an interested tidbit. Most banks and financial institutions don’t realize that they fall under PCI DSS requirements. I was doing an audit for a credit union and this came up on a discussion. They issue credit cards, and take credit card payments, but these transactions are handled by a third party, passing the PCI DSS requirements onto the third party. However, the ATMs they have take credit cards and debit cards, and the Primary Account Number (PAN) (the credit card number) is transmitted and stored in their computers. Now they fall into PCI DSS requirements and subsequently PCI audits will be necessary.