What level of PCI compliance or self assessments are required for companies who don’t store any PCI data in their network, but they do take card details over the phone, and enter them into a web application hosted by a 3rd party. I know there are different rules for PCI compliance and auditing based on a few factors i.e. transactions and whether data is stored internally or not.
They also access this 3rd party web app from within their private network, just as they would access www.google.com
from a PC within their private network. Are their any procedural PCI compliance i.e. non IT technical that such a company would need policies around? Id rather comments as opposed to a link to the PCI website.