The Payment Card Industry Data Security Standard (PCI DSS) helps to ensure the security of cardholder data that is stored, processed or transmitted by merchants and processors. PCI DSS has 12 outlined requirements that businesses must follow and complete proper measures to become compliant. While PCI DSS helps protect customers and the business, there are still myths that need to be dispelled:
One vendor and product will make us compliant
There are multiple vendors that offer a wide range of software and services for PCI, but no single vendor or product will address all requirements of PCI DSS. A well-rounded security approach should be instituted.
Outsourcing card processing makes us compliant
Outsourcing simplifies payment card processing but does not ensure automatic compliance. Policies and procedures for cardholder transactions and data processing should be stressed to all employees.
PCI DSS compliance is an IT project
The IT department implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is an ongoing process of assessment, remediation and reporting. PCI compliance is an integral part which involves all parts of a business.
PCI DSS will make us secure
While a system scan and assessment is required for PCI, it will not ensure total security because it is an ongoing process to make sure that all cardholder data is safe.
PCI DSS is unreasonable; it requires too much
A large portion of PCI DSS is already common practice when running your business and there is some flexibility when it comes to compensating controls. The standards provide specific details so it does not leave the business seeking more answers.
PCI DSS requires us to hire a Qualified Security Assessor
While large merchants sometimes hire a QSA to help manage the complex technology, the standards provide an option of doing an internal assessment which uses the Self-Assessment Questionnaire online.
We don’t take enough credit cards to be compliant
PCI compliance is required for any business that accepts debit and/or credit cards, regardless of the amount.
We completed a SAQ so we’re compliant
This holds true for merchants that are not equired to do an on-site assessments, a bad system change can make your business non-compliant. Again, truly safe cardholder data requires continuance assessments.
PCI DSS makes us store cardholder data
Storing credit card holder information is not allowed. However, if there is a business reason to store front-card information, PCI DSS requires this data to be encrypted or unreadable.
PCI DSS is too hard
While it may seem like the 12 requirements of PCI DSS are rigorous, following the procedures essentially calls for basic security. There are products, services and people that can help make the PCI DSS process as simple as possible. Costs and difficulties of becoming compliant do not compare to the issues that could happen if you are not PCI compliant.