Having a proactive mindset about PCI compliance will save you a lot of money, and perhaps even your business, in the long run.
There is a lot of great information about PCI out there, but there are also a lot of misconceptions. Here are 10 common myths about PCI compliance.
There are several versions of this myth:
Just because a vendor says (or product packing claims) you, or the product you use, is PCI compliant, doesn’t mean it’s true.
See also: 7 Questions to Ask Your POS Installer
Many don’t understand that PCI compliance applies to organizations, not just the tools or services the organization employs. Yes, the tools you use should have the capability of being PCI compliant (e.g. your hosting provider should provide an environment that's capable of being PCI compliant), but just having compliant tools alone won’t make your business PCI compliant.
Besides your PCI compliance vendor, the only entity truly able to determine your PCI compliance is you.
See also: PCI FAQ
Many are under the impression that PCI simply doesn’t apply to them. Here are a few common examples:
None of these reasons are true and they won’t exempt you from fines if you are breached, or found by the PCI Council to be non-compliant.
PCI applies to you if you “accept, capture, store, transmit, or process credit and debit card data.” Period. Your business size, type, or how many transactions you process per year don't matter. The only thing that could exempt you from PCI compliance is if you take ONLY cash (and you never have or never will take credit, or debit cards.)
PCI DSS security practices aren’t the ceiling of your security, they’re the floor. The requirements determined by the PCI DSS are the fundamental basics of security.
Many of the big breaches in the last few years occurred because the organization wasn’t fulfilling their PCI compliance requirements. Even if they were “certified” as PCI compliant, the vulnerabilities that lead to their breach could (and should) have been addressed with PCI compliance.
For example, Target didn’t segment their card data environment properly, which is considered a basic security principle, especially for a large organization. Target’s cardholder data network was on the same network as their HVAC systems. Hackers got hold of the HVAC system password, got access to the entire network (including cardholder data), and the rest is history.
Many hear about companies that get breached, but continue to stay in business. This can lead people to wonder why they should worry about PCI compliance.
Before you discount PCI, think of the fines, lawsuits, breach disclosure costs, investigation costs, credit card rate increases, credit monitoring, etc, that results after a data breach. If a business stays in business after a data breach, I guarantee they didn’t walk away without some serious financial suffering and brand degradation.
A break down of the cost of a data breach:
If you also lose healthcare information in a breach:
As I’m sure you can see by this list, most businesses can’t survive a data breach.
See also: How Much Does a Data Breach Cost Your Organization?
See also: SecurityMetrics PCI Guide
PCI is not a moment in time. Your PCI DSS compliance does not end when your QSA leaves your office or your SAQ is submitted. Not only are you required to assess your compliance each year, you are required to maintain PCI compliance every second of every day.
See also: PCI Compliance Maintenance – You’re Not Done Yet
For many organizations PCI security standards get treated like a one time event (see Myth 5). In truth, businesses must stop thinking of compliance as a giant checklist. Your business, your systems, and your employees all have weaknesses and vulnerabilities that have to be treated with a healthy on-going security mind-set.
See also: Top 5 Security Vulnerabilities Every Business Should Know
For example, you need to run vulnerability scans quarterly and each time you make changes to your network. You should also be scanning your systems for unencrypted credit card data, and removing it or properly protecting it.
These are just a few basic examples. PCI does protect your organization from hackers if you maintain real security, but being “attested” or “certified” as compliant won’t save you.
See also: A Hacking Scenario: How Hackers Choose Their Victims
While you can hire third parties to help you with compliance, it’s still your responsibility to become PCI compliant. The merchant always holds the responsibility for PCI compliance, especially if they are hacked.
Even if you use a PCI compliance vendor like SecurityMetrics, you are still in charge of making sure security requirements are put into practice at your organization.
PCI compliance isn’t just saying yes to all the Self-Assessment Questionnaire questions, even though I strongly suspect many merchants apply this method when going through PCI compliance. You must do all the requirements in PCI, take the SAQ, scan your systems (if appropriate) and be able to prove it!
If your SAQ asks if you have a firewall in place with inbound and outbound traffic restricted to only that which is necessary for the cardholder data environment, are you just answering yes, or is your firewall configured to actually restrict the appropriate traffic?
Anyone can fill out their SAQ with "yes" checkboxes, but that won't actually make them compliant unless they’re actually doing everything they’ve checked "yes" to. Lying by checking “yes” when you know you’re not compliant can open you to penalties, including loss of credit card privileges.
PCI security standards compliance is more than an SAQ or vulnerability scan(s). Depending on your organization and the way you process credit cards, you may be required to attest to more or less PCI requirements.
Yes, PCI is hard, but not too hard. PCI is basic, common sense baseline security. If PCI was easy, it wouldn’t be doing anything to protect you from malicious attackers looking to steal your credit card data.
If you find the PCI requirements too difficult to understand, hire an IT and security professional to help you, or consult with your PCI security vendor.
See also: SecurityMetrics PCI Guide
Checking off a list is much easier than securing. That’s why these 10 PCI myths are so popular. It’s easier to make excuses, try to find loopholes, or ignore PCI compliance than to actually start securing your data. Your goal and mindset shouldn’t be “passing PCI compliance with as little work as possible.” It should be “being secure through PCI compliance, whatever it takes.” Having a proactive mindset about PCI compliance will save you a lot of money, and perhaps even your business, in the long run.
.svg)
