The underlying principles of PCI are essential to effective security. Don't let yourself fall victim to these 10 common PCI myths.
There is a lot of great information about PCI out there, but there are also a lot of misconceptions. Here are 10 common myths about PCI compliance.
Download the latest guide to PCI complianceDownload Now
Myth 1. I’m already PCI compliant because my _______ says I am.
There are several versions of this myth:
- My hosting provider is PCI compliant, so my site is compliant.
- I outsource my credit card processing, so I’m compliant.
- My point-of-sale device says it’s PCI compliant, so I’m compliant.
- My merchant service provider does my PCI for me.
- My IT guys say I’m PCI compliant.
- My network is PCI compliant.
- I use PA-DSS tools, so I’m PCI compliant.
Just because a vendor says (or product packing claims) you, or the product you use, is PCI compliant, doesn’t mean it’s true.
SEE ALSO: 7 Questions to Ask Your POS Installer
Many don’t understand that PCI compliance applies to organizations, not just the tools or services the organization employs. Yes, the tools you use should have the capability of being PCI compliant (e.g. your hosting provider should provide an environment that's capable of being PCI compliant), but just having compliant tools alone won’t make your business PCI compliant.
Besides your PCI compliance vendor, the only entity truly able to determine your PCI compliance is you.
SEE ALSO: PCI FAQ
Myth 2. We don’t need to worry about PCI compliance because _______.
Many are under the impression that PCI simply doesn’t apply to them. Here are a few common examples:
- We only take a few credit cards a year.
- We’re too small.
- We’re exempt from PCI.
- We’re a university.
- We outsource.
- We are HIPAA compliant.
- Our IT team is worrying about our PCI compliance.
- We’re a non-profit.
- We already completed an SAQ, so we’re compliant.
- We already had a penetration/vulnerability scan, so we’re compliant.
None of these reasons are true and they won’t exempt you from fines if you are breached, or found by the PCI Council to be non-compliant.
PCI applies to you if you “accept, capture, store, transmit, or process credit and debit card data.” Period. Your business size, type, or how many transactions you process per year don't matter. The only thing that could exempt you from PCI compliance is if you take ONLY cash (and you never have or never will take credit, or debit cards.)
Myth 3. PCI is irrelevant. Just look at all the breaches happening lately!
PCI DSS security practices aren’t the ceiling of your security, they’re the floor. The requirements determined by the PCI DSS are the fundamental basics of security.
Many of the big breaches in the last few years occurred because the organization wasn’t fulfilling their PCI compliance requirements. Even if they were “certified” as PCI compliant, the vulnerabilities that lead to their breach could (and should) have been addressed with PCI compliance.
For example, Target didn’t segment their card data environment properly, which is considered a basic security principle, especially for a large organization. Target’s cardholder data network was on the same network as their HVAC systems. Hackers got hold of the HVAC system password, got access to the entire network (including cardholder data), and the rest is history.
Myth 4. If I get breached, it doesn’t really matter
Many hear about companies that get breached, but continue to stay in business. This can lead people to wonder why they should worry about PCI compliance.
Before you discount PCI, think of the fines, lawsuits, breach disclosure costs, investigation costs, credit card rate increases, credit monitoring, etc, that results after a data breach. If a business stays in business after a data breach, I guarantee they didn’t walk away without some serious financial suffering and brand degradation.
A break down of the cost of a data breach:
- Merchant processor compromise fine: $5,000 – $50,000
- Forensic investigation: $12,000 – $100,000
- Onsite QSA assessments following the breach: $20,000 – $100,000
- Free credit monitoring for affected individuals: $10-$30/card
- Card re-issuance penalties: $3 – $10 per card
- Lawyer fees: $5,000+
- Breach notification costs: $1,000+
- Technology repairs: $2,000+
- An increase in monthly card processing fees: +
- Federal/municipal fines: +
- Legal fines: +
If you also lose healthcare information in a breach:
- HHS fines: up to $1.5 million/violation/year
- Federal Trade Commission fines: $16,000/violation
- Class action lawsuits: $1,000/record
- State attorney generals: $150,000 – $6.8 million
- Patient loss: 40%
As I’m sure you can see by this list, most businesses can’t survive a data breach.
Myth 5. Once I’m PCI compliant, I’m good!
PCI is not a moment in time. Your PCI DSS compliance does not end when your QSA leaves your office or your SAQ is submitted. Not only are you required to assess your compliance each year, you are required to maintain PCI compliance every second of every day.
Myth 6. If I’m PCI compliant, I’m protected from hackers.
For many organizations PCI security standards get treated like a one time event (see Myth 5). In truth, businesses must stop thinking of compliance as a giant checklist. Your business, your systems, and your employees all have weaknesses and vulnerabilities that have to be treated with a healthy on-going security mind-set.
For example, you need to run vulnerability scans quarterly and each time you make changes to your network. You should also be scanning your systems for unencrypted credit card data, and removing it or properly protecting it.
These are just a few basic examples. PCI does protect your organization from hackers if you maintain real security, but being “attested” or “certified” as compliant won’t save you.
Myth 7. I’ll just outsource PCI and never worry about compliance.
While you can hire third parties to help you with compliance, it’s still your responsibility to become PCI compliant. The merchant always holds the responsibility for PCI compliance, especially if they are hacked.
Even if you use a PCI compliance vendor like SecurityMetrics, you are still in charge of making sure security requirements are put into practice at your organization.
Myth 8. PCI is so easy! All we have to do is say yes!
PCI compliance isn’t just saying yes to all the Self-Assessment Questionnaire questions, even though I strongly suspect many merchants apply this method when going through PCI compliance. You must do all the requirements in PCI, take the SAQ, scan your systems (if appropriate) and be able to prove it!
If your SAQ asks if you have a firewall in place with inbound and outbound traffic restricted to only that which is necessary for the cardholder data environment, are you just answering yes, or is your firewall configured to actually restrict the appropriate traffic?
Anyone can fill out their SAQ with "yes" checkboxes, but that won't actually make them compliant unless they’re actually doing everything they’ve checked "yes" to. Lying by checking “yes” when you know you’re not compliant can open you to penalties, including loss of credit card privileges.
Myth 9. I passed my vulnerability scan, so I’m compliant.
PCI security standards compliance is more than an SAQ or vulnerability scan(s). Depending on your organization and the way you process credit cards, you may be required to attest to more or less PCI requirements.
Myth 10. PCI is too hard and confusing.
Yes, PCI is hard, but not too hard. PCI is basic, common sense baseline security. If PCI was easy, it wouldn’t be doing anything to protect you from malicious attackers looking to steal your credit card data.
If you find the PCI requirements too difficult to understand, hire an IT and security professional to help you, or consult with your PCI security vendor.