This is a common misconception. The PCI Data Security Standard applies to all organizations that accept, transmit, or store any cardholder data, regardless of size or number of transactions. The validation requirements may vary based on transaction volume, but the core security controls apply to everyone.