10. Compliance can be achieved in a one-time, singular solution.
Unfortunately this is not so. A single product or service that would enable merchants to achieve compliance and protect all sensitive data is simply too good to be true. Compliance is an ongoing series of risk assessments and improvements allowing you to deter and outsmart devious cyber criminals from gaining access to your sensitive data.
9. Compliance is the responsibility of your merchant services provider.
Compliance must always be an in-house priority. Having a merchant services provider handle your credit card processing is smart, but it does not relinquish you from the responsibility of becoming compliant. Compliance is a matter of security that requires merchants to assess vulnerabilities that could expose cardholder data, remediate them and report required compliance records to your merchant services provider and card brands.
8. Compliance is the job of the IT Department or tech guy.
Noncompliance has the potential to negatively impact every aspect of your business, so it makes sense that being compliant is everyone’s job — in every department — and at every level. Even though technology is the key component of data security, there is much more to maintaining compliance than simply installing a firewall or antivirus program.
7. Compliance guarantees my data is 100 percent safe.
Compliance is not a guarantee; it is a crucial achievement, yet data security requires constant vigilance. There can never be 100 percent certainty that your sensitive data will never be compromised. Crime doesn’t take a vacation, and hackers and thieves are constantly inventing new ways to invade networks and steal information. Compliance is an ongoing process to help protect your business for the long term, which is why the Payment Card Industry Data Security Standards (PCI DSS) requires merchants at all levels to conduct quarterly PCI scans.
6. Compliance is too complicated.
The steps to compliance consist of some of the best practices in data security management that logically address all critical protective measures. Merchants are never required to complete unnecessary or irrelevant tasks. By meeting the data security standards for compliance, you are doing your best to keep your sensitive information safe through secure management, policies, procedures, network architecture, software design and other critical means.
5. I need to hire my own security expert to become compliant.
The first requirement of compliance is completing the self-assessment questionnaire (SAQ), which requires no outside help. Not all merchants are required to meet the same criteria to become compliant, and only certain aspects of PCI compliance require help from an outside expert. For example, PCI scans must be conducted by an approved scanning vendor (ASV), and compliance audits require bringing in a qualified security assessor. Unless a merchant suffers a data breach, small businesses are generally not required to complete a compliance audit.
4. My business is so small that I don’t need to achieve compliance.
If you accept credit cards and other payment cards, you must be compliant. All businesses that process credit card payments are required to meet compliance standards, regardless of size or sales volume.
3. Once I complete the SAQ, I become compliant.
On occasion, completing the SAQ is enough to achieve compliance but that is not usually the case. Compliance is an ongoing process. You need to continually assess and improve your business security measures to maintain it. Most of the time the self-assessment questionnaire serves as a guide, shedding light on areas that need attention in order for you to become compliant. This risk assessment tool often points out the next steps you must take (such as completing a PCI scan) to achieve compliance.
2. Storing cardholder data will help me be compliant.
The opposite of this is true! The PCI DSS specifically discourages the storing of customer information and clearly prohibit the storing of credit card magnetic strip data. An additional PCI DSS stipulation maintains that all data, whether stored or not, must be encrypted and offsite.
1. Compliance is practically impossible to achieve.
When merchants learn there are 12 requirements of PCI compliance, they sometimes jump to the conclusion that the procedures are too complex and beyond their ability. The truth is that many of the protocols in the PCI DSS are just good security sense and offer you better ways to protect your data and your business. Merchants may complain about the expense of becoming compliant, but it pales in comparison to the devastating costs and other damages of an average data security breach. The cost of getting compliant is nominal and protecting the sensitive data of your business and your customers is priceless.
The information on this page is not intended to be a source of legal advice. Therefore, you should not rely on the information provided herein as legal advice for any purpose, and should always seek the legal advice of competent counsel in your jurisdiction.
Author: Ken Givens has been a marketing and security consultant in the Credit Card and Check Merchant Services industry since 1994. He has worked for national companies, as well as owning his own company. He is a member of several trade and business groups and provides learning seminars on security, compliance, fraud, and understanding rates. He can be reached at 512-535-2255 or KenGivens@USMSTexas.com.