Myth #1: PCI is a law
Not at all. The standards are maintained by the Payment Card Industry Security Standards Council, an independent entity established by the major card brands in 2006. The U.S. government has no involvement in the standard or its enforcement. This is industry self-regulation, so you can’t go to jail for non-compliance with PCI DSS – but you can lose the ability to process payment cards.
Myth #2: PCI doesn’t apply to me
If your organization processes, stores, or transmits payment card data, then PCI DSS applies to you, plain and simple. While there are different merchant levels that specify different methods of reporting, everyone from retail titans to local coffee shops must comply with the PCI standards.
Myth #3: The card brands fine merchants
Many merchants don’t understand the mechanics of PCI fines. We know the government isn’t involved, but who exactly fines merchants? The card brands? The PCI Security Standards Council? In fact, PCI compliance is enforced by a merchant’s acquiring bank. That means fines are assessed by the acquiring bank, too.
Why do they bother to police your compliance? Because they’re the (first) ones on the hook if your security isn’t up to snuff. You see, they are subject to fines from the card brands for non-compliant merchants, as well as penalties if you experience a breach and are found non-compliant. This is why the level of reporting you’re required to provide is determined by your acquiring bank, and they’ll very likely pass on the cost of noncompliance on to you.
Myth #4: PCI is the IT department’s problem
At first blush, network security compliance might seem like a purely technological problem – something for the IT folks to handle. But non-tech folks can make tech mistakes, and online attackers are increasingly making inroads on sensitive data through human channels like unsuspecting customer service representatives. Everyone who comes into contact with payment card data needs to be trained on their role in PCI compliance.
Myth #5: Doing the right things is enough
Putting all the right security measures in place is at the heart of PCI, but it’s not enough to demonstrate compliance. You might call it a necessary but not sufficient condition – to be in full compliance with the PCI security standards, you must have proper documentation that all of your security measures are in place and tested.
Myth #6: You can outsource PCI responsibilities completely
Some businesses believe that since they’ve hired a third-party vendor for certain IT services, PCI no longer applies to them. But the Security Standards Council has made it very clear that this isn’t so, saying that a merchant cannot completely absolve itself of responsibility for compliance. To be clear, you can engage a third-party partner to provide PCI security solutions, and to help you ensure PCI compliance. These partnerships can be highly valuable.
But there’s an important distinction to be made here: You cannot sign away all responsibility for PCI requirements – and you should respond to anyone who offers such a service with skepticism. Furthermore, if you do use a partner, make sure that you clearly define each party’s responsibilities for PCI compliance in your contractual agreement, and be sure to hold the partner accountable for doing their part on a regular basis. Whether you handle your PCI security obligations yourself or engage a third party, heightened vigilance to PCI DSS is a critical component to your organization’s security.
LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. Learn more about our PCI Compliance services.