I was general counsel to a payment technology company for 10 years. We processed mobile payments via app and card present scenarios, processing roughly $900M annually. I have gone through the PCI-DSS certification process on numerous occasions.
To answer your question, it depends on how much you are processing. The first million or so is subject only to a self-certification process. After that, you will be required to have third-parties do the appropriate testing and issue the certification. Generally speaking, your merchant bank will give you the requirements.
Happy to have a call and answer any questions.
Answered 2 years ago