Top 10 PCI Compliance Myths Busted
Myths…legends…fairytales…in your free time, they can be entertaining. But when it comes to the requirements around handling sensitive data, believing myths about the Payment Card Industry Data Security Standard (PCI DSS), or PCI compliance as it is commonly called, can lead to problems.
How can you determine what is myth and what is fact? The best way is to trust a payments industry leader like Base Commerce to give you the clear, concise truth.
PCI Compliance Myths Exposed
Below are some of the most common PCI compliance myths and the facts that you need to be aware of to ensure your business isn’t in violation of any regulations.
Myth #1: I don’t do high-volume business and my customers rarely use credit cards, so the PCI rules don’t apply to me.
Myth Busted: It doesn’t matter if you process one credit card transaction per year or one million. If you take any number of credit cards using any mechanism, your operations must be compliant.
Myth #2: There are key PCI compliance standards you have to meet. The rest are optional.
Myth Busted: To be PCI compliant, you have to meet 100 percent of the requirements. Fail on even one item and you have failed to comply. In fact, you should be aiming even higher than 100 percent. Investing the time and effort to exceed the standards is a good idea.
Myth #3: ATM debit card data is exempt from PCI requirements, which only cover credit card data.
Myth Busted: Many debit cards can be used both to handle purchases as a debit or a credit. For this reason and others, debit cards are covered by PCI regulations.
Myth #4: PCI only applies to companies that do business online (i.e., e-commerce companies).
Myth Busted: If your company processes, transmits, or stores cardholder data, you must be PCI compliant. In fact, in-person transactions are generally more subject to being compromised than e-commerce transactions for a number of reasons. And, if you fail to secure your customers’ data, you can be heavily fined.
Myth #5: All I have to do is answer “yes” to all the questions on the Self-Assessment Questionnaire (SAQ) and I’ll be fine.
Myth Busted: You use the SAQ to provide your merchant bank with important information about your level of compliance. If you lie on that form, it may become a serious problem, especially if a data breach takes place later and it becomes clear you actually are not compliant.
Myth #6: I’m not obligated to be PCI compliant until my bank requires it.
Myth Busted: You are responsible for being in compliance from the first credit card transaction you accept, whether your bank has asked about your status or not. “Nobody told me I had to be,” is not a defensible position.
Myth #7: I’ve been in business with the same bank for decades and have never been PCI compliant in the past, so I don’t have to be now.
Myth Busted: If you process, transmit, or store cardholder data today, you must be PCI compliant today, regardless of your history with your bank.
Myth #8: As long as I am PCI compliant, I can store any cardholder data that I choose to.
Myth Busted: You do not “own” cardholder data and PCI regulations clearly state that you may not store any of the following: unencrypted credit card number, track 1 or 2 data, CVV or CVV2 numbers, PIN numbers, or PIN blocks. In fact, storing that information may put you in violation of card brand regulations. If it is found in your possession or on audit trails, log files, etc., there can be serious ramifications. This is especially true if your security has been breached. One of those ramifications is that the card brands can blacklist you from accepting their branded payment form in the future, which can severely limit your payment acceptance offerings for your consumers.
Myth #9: PCI standards require that we store cardholder data.
Myth Busted: Quite the opposite - PCI regulations encourage merchants not to store data and indicate many types of data that you are forbidden from storing (information from the magnetic stripe on the back of a card, for example). Data that you are allowed to store and choose to store must be encrypted.
Myth #10: PCI compliance requirements are unreasonable and too difficult and expensive to meet.
Myth Busted: Most of the requirements are part of security best practices you likely are already following. And, getting help from PCI compliance experts can simplify the process and, in many cases, make ensuring you are compliant more affordable.
Taking Action Based on the Facts About PCI Compliance
Once you know the facts about PCI compliance and make a plan for achieving and maintaining it, the process is not as intimidating as it appears. This is especially true if you are working with a payments partner who can guide you through the process.
For software companies undergoing a PCI audit on your software can be costly, both in terms of time and capital. Plus, the card networks require that merchants be PCI compliant, which means they must use PCI certified software. Achieving that designation can be challenging if you are unfamiliar with the requirements.
We assist our merchants with completing their PCI Self-Assessment Questionnaires, and enroll each in a breach insurance policy to help cover our loss in the event of a card data breach at the merchant level.
If you have questions about payment processing and how our solutions can help, we are happy to answer them. Contact us today.