If you are confused by the PCI DSS requirements and procedures, you’ve come to the right place. With PCI come a set of tricky issues that can damage your business heavily. With all that in mind, we present you with the most common PCI compliance myths you should be aware of so that you’ll take care of all these things in the future whenever you need them. Let’s clear the air, shall we?
Myth #1: Small merchants that take just a few cards a year don’t need to comply with PCI DSS
This is all but accurate. Anyone who makes even one transaction a year should practically comply with PCI DSS according to their SAQ. No matter how big your business is, if you process, transmit, and store cardholder data of even one card, you must pass the PCI security tests.
Myth #2: PCI is enforced by Federal law
This is another myth that goes around. Even though it’s mandatory for any business with card transactions, PCI is enforced by Security Standards Council, or SSC, which is an independent private organization created by the five biggest payment card brands (Master Card, Visa International, American Express, JCB, and Discover) to address the growing issue of card data theft and abuse.
There are some exceptions on the state level (Minnesota, Nevada, and Washington for now) where the states have incorporated PCI in the state law.
Regardless of the non-federal status of the document, SSC, card brands, and other parties can legally implement fines and penalties that will eventually affect your business (they fine a bank, and the bank passes it all the way to your business). Other parties, such as banks, can legally raise fees for transactions to a ridiculous level, rendering small businesses bankrupt in a matter of weeks or months.
Myth #3: If you comply with most of the criteria, you’re off the hook
We all know how tedious and expensive it can be to make your business PCI compliant. Even the best of us would want at least a break or even stop somewhere along the way. We understand that. But what’s also important to understand is the complexity of data abuse risks.
Hackers never stop working and are constantly trying to figure out how to bypass various defenses we pose in front of them. The thing of the matter is that bypassing a single defense instance is relatively easy. Firewall? No problem? Anti-virus? There are ways around it. Encryption? Just figure out the key, and someone’s card data is in their hands.
But setting a few layers of defense makes the job a little more complex. Layer the defense sufficiently, hackers won’t have time until the red light turns on, and something in these layers chases them away. The same goes for physical measures required by the PCI. So, unfortunately, everyone is mandated to complete every point of requirement in line with their SAQ.
Myth #4: I only need to protect credit cards; others are fine
PCI stands for Payment Card Industry, not Credit Card Industry. Even though some of the big brands are louder about securing their cards (like Visa International), that doesn’t mean other payment cards like debits are fine to store in any manner. Any data that can lead to identity theft or theft of money stored in a bank account is mandated to be secured by PCI standards.
Myth #5: SAQ is not important; answer ‘yes’ to every question
This one is a precarious business. So risky, it can cost you your whole business, for that matter. Should a data compromise occur in your business environment, there will be audits to check if everything was in place. If the authorities learn that the reality doesn’t comply with your SAQ, it will be taken seriously. There will be severe penalties that can get your business in severe debt and loss.
Myth #6: Merchants are entitled to store any kind of data independently
Neither PCI nor Federal laws look kindly upon independent data storing. When it comes to PCI, there are strict regulations regarding:
- Credit Card Numbers that are not encrypted
- CVVs and CVV2s
- PIN Numbers
- Pin blocks
- Magstripe data
Finding any of the audits mentioned above will significantly draw severe consequences and fines for the business if data has been compromised.
Myth #7: I didn’t sign for any PCI compliance; it doesn’t apply to me
PCI Compliance is regulated through banks that provide merchant accounts. Any contract with a bank later than 2006 has parts that mention PCI compliance being necessary to keep the cooperation between the bank and active business. Some clauses are formed so that non-compliance with PCI can lead to the termination of merchant accounts.
Myth #8: It’s enough to outsource credit cards; I don’t need anything else
PCI Standards apply and regulate ANY payment card processing, transmission, and storage of cardholder data. This means that outsourcing card data management dramatically reduces the burden of making your business compliant. But, some instances will still be up to you. For example, if you have a website, you have to abide by the regulation to secure if your website can lead to compromising data. Using an open public network can also easily leak sensitive data in the wrong direction, so encryption and other steps are needed to counter this. There are other examples as well, clearly stated in the respectable SAQs.
Myth #9: With PCI, I am completely secure
Nope. Malevolent instances are numerous and well-connected in some cases. This means these persons and organizations constantly figure out ways to bypass numerous layers of securities. They can sometimes succeed, theoretically and practically, and they sometimes do. This is why PCI mandates all systems and applications be updated regularly. Many out-of-date versions are abandoned because of pretty imaginative security breaches and weak spots, cunningly identified by hackers.
We hope that this rundown was helpful to you and you have learned something new about the PCI compliance myths on the web. Stay safe, guys!