Skip to content

Top 10 Misconceptions of PCI Compliance

March 1, 2013
  • The PCI Data Security Standards is only a recommendation and not a requirementFALSE. In 2004 the major payment brands (American express, Discover, MasterCard, Visa, and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC) as a private regulatory body to facilitate the development of a standard to act as a common set of minimum security requirements to be implemented by all merchants and service providers that handle sensitive credit card data. In June 30th of 2005 the regulations took effect as the PCI Data Security Standard.

    The payment brands themselves enforce the PCI DSS standard for merchants and service providers, regardless of size. If your company stores, processes, or transmits any of the information recorded on a credit or debit card then you must abide by the PCI DSS or face significant fines, higher opex costs through increased compliance requirements, and potential suspension or expulsion from card processing networks.

  • Passing an ASV scan means I’m PCI compliantFALSE. ASV scans are only one part of PCI compliance. All merchants and service providers must also complete a self-assessment questionnaire that serves as a statement of compliance stating that your organization has implemented all of the relevant security controls described in the DSS.  The Self-Assessment Questionnaire is a mechanism for getting the information about the level of your compliance to your merchant bank or to the credit card companies.  You would be risking your whole business by answering yes to the questions, when there is no factual basis for the answers.

    If a compromise took place and it was obvious that you were not, and have never been compliant, the matter would be taken very seriously by all the major payment brands.

  • I don’t process a large number of credit cards (too small, only level3, only level 4), so I don’t have to be compliantFALSE. While merchants processing less than 20k transactions a year are generally not required to seek compliance validation, the obligation for PCI compliance is still there, as are the consequences if the data your store or process is compromised.
  • Since I don’t store credit card information, I don’t have to be PCI compliantFALSE. The PCI DSS does not just apply to the storage of credit card data but also to the handling of data while it is processed or transmitted over networks, phone lines, faxes, etc.  While not storing credit card data does eliminate some compliance requirements the majority of the controls dictated by the DSS remain in effect. The only way to avoid PCI compliance is to transfer the risk entirely to someone else, such as PayPal’s Website Payments Standard service where customers interact with the PayPal software directly and credit card information never traverses your own servers.
  • I use PayPal/Authorize.NET therefore I don’t have to be PCI complaintThere are certain payment products that do transfer the burden of PCI compliance to the payment services provider (e.g. PayPal’s Website Payments Pro) however they require that a consumer be forwarded to the payment provider’s servers to complete their order. If your website integrates with PayPal via an API then you are still liable for PCI compliance since your servers capture and transmit the credit card data first.
  • The payment brands aren’t fining smaller merchants therefore; I have no incentive to be compliantImmediate fines for noncompliance are typically only enforced on merchants processing over a million transactions a year (Level 1 and Level 2) however should you experience a breach and fail to prove your continued compliance with the PCI standard you will be forced to cover chargebacks, have your ability to process credit cards suspended, and escalation into a higher compliance tier, and tens of thousands in annual compliance auditing costs.
  • PCI only applies to ecommercePCI applies to every company that stores, processes or transmits cardholder information, including retail point-of-sale services and mail/phone order.  In fact anyone who takes card present transactions that involve POS devices is typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI).
  • PCI compliance ends with a successful assessment 

    A self-assessment questionnaire is a point-in-time indication of your compliance with the PCI standard, however failure to comply continually with the PCI requirements will result in liability should your organization experience a breach.

  • PCI is vague with room for interpretationThe PCI Data Security Standard is the most comprehensive and specific set of security controls ever compiled into a major industry standard or law. Unlike most security standards today (SOX, HIPAA, ISO 27002), PCI has done more than require simple frameworks for security. There is a 73 page document outlining the Requirements and Security Assessment Procedures with other supporting documents on the PCI Security Standards Council website.
  • I use a PA-DSS certified application so I’m compliantUsing a PA-DSS certified application is only one step. You must continue to implement all the other controls within the DSS that involve the management of the servers and networks that run the PA-DSS certified software.
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: