Top 5 Myths About PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance often brings to mind high-level government regulations and the organization of an inconceivable amount of credit card data. But PCI compliance is much more than that and is something every company needs to address, regardless of size or industry.

In this post, we’ll debunk the top 5 myths about PCI DSS compliance to help guide you as to your business’ rights and responsibilities.

“PCI Compliance is Set By the Government.”

Compliance standards are not set by the government or by the PCI Security Standards Council. Rather, these standards are set and enforced by individual credit card companies like Visa and Mastercard. These companies divide their compliance standards into levels based on the number of transactions you process each year. For instance, Visa’s compliance levels are broken down into the following four merchant levels:

  1. Level 1: Merchants that process more than 6 million transactions per year.
  2. Level 2: Merchants that process 1 to 6 million transactions per year.
  3. Level 3: Merchants that process 20,000 to 1 million e-commerce transactions per year.
  4. Level 4: Merchants that process fewer than 20,000 e-commerce transactions per year.

It’s your responsibility to contact the credit card companies and get informed about the specific compliance standards for each.

“Being PCI Compliant Protects Me From Legal Action in the Event of a Breach.”

Unfortunately, PCI compliance doesn’t protect your business from legal action. Your credit card processor, bank, and even customers can sue you as a result of a data breach. However, adhering to PCI compliance could give your company leverage in the event of a lawsuit.

Adding a clause in your merchant account contract that indemnifies you under certain circumstances (e.g., a data breach) could also help protect your business from being sued. A third-party payment processor may be open to adding this to your contract as long as the source of the breach can be determined.

“I Don’t Need to Worry About Compliance Because I Only Handle Debit Cards.”

According to the PCI Compliance Guide, PCI DSS compliance applies to any company that “accepts, transmits or stores any cardholder data.” These standards apply to all types of card payment information — debit cards included — for a couple of reasons. First, credit and debit cards have the same types of data that thieves target, including:

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date

Second, both debit and credit card payments are processed using the same payment terminals, such as a POS or credit card machine. These transactions pass through your merchant bank, which then processes these payments for you with the help of the issuing bank (or cardholder bank). Most of today’s debit cards are dual-purpose signature debit, which needs to be covered by PCI compliance.

“Using a Third-Party Credit Card Processor Automatically Makes Me Compliant.”

It is your responsibility to verify your company’s compliance, regardless of the processing company that you work with. From a legal standpoint, using a third-party processor may reduce your risk exposure and liability, but it does not make you compliant.

When it comes to compliance, the type of payment processing equipment and customer information you store are more important than the third-party credit card processor. These factors determine your validation type, which determines the appropriate self-assessment questionnaire (SAQ) guidebook your company needs to complete to ensure you’re compliant.

“PCI Compliance Can Wait.”

Whether you believe that PCI compliance is too difficult or too long of a process, waiting is one of the worst things you can do. You alone are responsible for PCI DSS compliance and if you fail to be compliant, you could find yourself with exorbitant penalties upwards of $100,000 a month until you become compliant. These costs don’t take into consideration the potential fines if a data breach occurs.

PCI DSS compliance is also much more than complying just for the sake of it. The compliance standards help your company be more secure and align with industry best practices. And in an age where personal data is constantly compromised in data breaches, additional security measures can make all the difference.

Compliance Myths Debunked

If your company handles payments, then you must adhere to some form of PCI DSS standards. Take the information shared — and debunked —  in this article to help you better navigate the PCI DSS compliance process. Remember to have a solid cybersecurity plan in place to protect these transactions from a data breach. For more information, view our checklist on PCI Compliance and our recommendation on hiring a PCI-Certified QSA.

Sentek Cyber is a trusted firm with a wealth of experience spanning multiple industries. We are proud to specialize in PCI DSS Compliance and would love to find out more about your company and your specific needs. Contact us today to start a conversation.