Are you guilty of any of these PCI myths?
June 27, 2016
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.
We often hear business owners tell us all kinds of reasons on why they do not need to be PCI compliant or even explain to us that they are PCI compliant without knowing that they are not.
We get it, taking care of a business is a lot of work and learning about PCI compliance can be a whole other full time job. PCI is a continuous effort to be and stay compliant while also keeping track of its updates. See latest PCI DSS updates.
The reality is that PCI applies to any company of any size that accepts credit card payments. If your company accepts credit card payment, stores it, process it and transmits cardholder data, you must have that data secured with a PCI compliant provider.
PCI compliance can be confusing, however that doesn't mean that it has to be difficult. Understanding PCI involves understanding the definitions of the terminology used such as compliance, validation, and assessments.
We have gathered what have been common comments that we hear from business owners. And today, we would like to bust these myths! Here we go!
Myth: My business is too small and I only have a few credit card transactions. I don’t need to be PCI compliant.
We have heard this comment from many business owners. According to the PCI security Standards, if you do at least ONE credit card transaction, you must be PCI compliant.
Your small business is as much of a target for hackers as the big corporations are.
Myth: I have never signed a contract from my bank or POS company stating that I need to be compliant. So it must not be needed.
Remember when you opened your business bank account? There are VISA regulations you adhere to when doing so.
If you store, process or transmit credit card data, you (not the bank or POS company) are responsible for being PCI compliant. In the case that your business gets breached and you are not PCI compliant, the fines and compensation requirements by the bank will negatively affect your business’ profits.
Myth: I’ll just answer ‘yes’ to all the criteria on the Self-Assessment Questionnaire (SAQ) and I’ll be PCI compliant.
The Self-Assessment Questionnaires (SAQ) are validation tools intended to assist merchants and service providers report the results of their PCI self-assessment. You must be honest with these answers as they are crucial to validating your PCI compliance.
If you say ‘Yes’ without being correct, you will be exposing your business to a huge risk of a payment card data breach.
And we both know, that nobody wants a data breach on their brand’s reputation.
Myth: My business doesn’t conduct online orders. Hence, I don’t need PCI.
Whether your customers purchase your goods and services online or in-store, you will need PCI. Payment risks can occur from online services as well as from POS devices. Most of the biggest data breaches that you hear on the news have come from POS devices. Hackers will try every way they can to access payment data.
Myth: PCI compliance and validation are the same.
Compliance, in terms of PCI, is meant as an ongoing activity, not simply an endpoint goal. The overall objective is not only to become compliant but to also maintain that compliance within the requirements of PCI DSS.
Validation on the other hand, is the process of verifying, or validating that compliance (or lack thereof). This could include audit activities (SAQ) or technical validations such as your vulnerability scanning or penetration testing.
Myth: By doing the vulnerability scans and SAQ completion, I’ll be PCI compliant.
Many business owners falsely believe that simply scheduling vulnerability scans and completing the yearly SAQ makes them compliant when in fact, scans only account for 1 out of 6 subsections of requirement #11 in the PCI DSS.
The standard has 12 total requirements, which means that vulnerability scans account for less than 8% of total requirements.
We hope these myths are cleared out for you now. Learning about PCI is vital to the security of your business and most of all, your customers!
If you are interested in continuing your PCI education and learn about the different merchant and validation levels please read more here. And of course, reach out to us for any questions you may have.