The underlying security principles of PCI are alive and well.
Myth 1. I’m already PCI compliant because my _______ says I am.
I hear versions of this myth every single day.
- My hosting provider is PCI compliant, so my site is compliant.
- I outsource my credit card processing, so I’m compliant.
- My point-of-sale device says it’s PCI compliant, so I’m compliant.
- My merchant service provider does my PCI for me.
- My IT guys says I’m PCI compliant.
- My network is PCI compliant.
- I use PA-DSS tools, so I’m PCI compliant.
Don’t believe everything you’re told. Just because a vendor says (or product packing claims) you, or the product you use, is PCI compliant, doesn’t mean it’s true.
SEE ALSO: 7 Questions to Ask Your POS Installer
Many don’t understand that PCI compliance applies to organizations, not just the tools or services the organization employs. Yes, the tools you use should have the capability of being PCI compliant (e.g. your hosting provider should provide an environment that's capable of being PCI compliant), but having compliant tools in and of themselves won’t make you compliant.
Besides your PCI compliance vendor, the only entity truly able to determine your PCI compliance is you.
SEE ALSO: PCI FAQ
Myth 2. We don’t need to worry about PCI compliance because _______.
Many are under the impression that PCI simply doesn’t apply to them. Here are a few common examples:
- We only take a few credit cards a year.
- We’re too small.
- We’re exempt from PCI.
- We’re a university.
- We outsource.
- We are HIPAA compliant.
- Our IT team is worrying about our PCI compliance.
- We’re a non-profit.
- We already completed an SAQ, so we’re compliant.
- We already had a penetration/vulnerability scan, so we’re compliant.
These excuses are rubbish, and won’t exempt you from fines if you are breached, or found by the PCI Council to be non-compliant.
PCI applies to you if you “accept, capture, store, transmit, or process credit and debit card data.” Period. It doesn’t matter your business size, type, or how many transactions you process per year. The only thing that could exempt you from PCI compliance is if you take ONLY cash (and you never have or never will take credit, or debit cards.)
Myth 3. PCI is irrelevant. Just look at all the breaches happening lately!
PCI DSS security practices aren’t the ceiling of your security, they’re the floor. The requirements determined by the PCI DSS are the fundamental basics of security!
Besides, many of the big breaches in the last few years occurred because the organization wasn’t fulfilling their PCI compliance requirements. Even if they were “certified” as PCI compliant, the vulnerabilities that lead to their breach could (and should) have been addressed with PCI compliance. Like Target, for example.
Target didn’t segment their card data environment properly, which is considered a basic security principle, especially for a large organization. Target’s cardholder data network was on the same network as their HVAC systems. Hackers got hold of the HVAC system password, got access to the entire network (including cardholder data), and the rest is history.
Myth 4. If I get breached, it doesn’t really matter
Many hear about companies that get breached, but continue to stay in business, and wonder why they should worry about PCI compliance.
Before you discount PCI, think of the fines, lawsuits, breach disclosure costs, investigation costs, credit card rate increases, credit monitoring, etc, that results after a data breach. If a business stays in business after a data breach, I guarantee they didn’t walk away without some serious financial suffering and brand degradation.
Target announced that they expect a $148 million loss from their 2013 data breach. In 2015, Target settled their class-action lawsuit for $10 million.
Let me breach down the cost of a data breach:
- Merchant processor compromise fine: $5,000 – $50,000
- Forensic investigation: $12,000 – $100,000
- Onsite QSA assessments following the breach: $20,000 – $100,000
- Free credit monitoring for affected individuals: $10-$30/card
- Card re-issuance penalties: $3 – $10 per card
- Lawyer fees: $5,000+
- Breach notification costs: $1,000+
- Technology repairs: $2,000+
- An increase in monthly card processing fees: +
- Federal/municipal fines: +
- Legal fines: +
If you also lose healthcare information in a breach:
- HHS fines: up to $1.5 million/violation/year
- Federal Trade Commission fines: $16,000/violation
- Class action lawsuits: $1,000/record
- State attorney generals: $150,000 – $6.8 million
- Patient loss: 40%
As I’m sure you can see by this list, most businesses can’t survive a data breach.
Myth 5. Once I’m PCI compliant, I’m good!
PCI is not a moment in time. Your PCI DSS compliance does not end when your QSA leaves your office or your SAQ is submitted. Not only are you required to assess your compliance each year, you are required to maintain PCI compliance every second of every day.
Myth 6. If I’m PCI compliant, I’m protected from hackers.
For many organizations PCI security standards get treated like a one time event (see Myth 5). In truth, businesses must stop thinking of compliance as a giant checklist. Your business, your systems, and your employees all have weaknesses and vulnerabilities that have to be treated with a healthy on-going security mind-set.
For example, you need to run vulnerability scans quarterly and each time you make changes to your network. You should also be scanning your systems for unencrypted credit card data, and removing it or properly protecting it.
These are just a few basic examples. PCI does protect your organization from hackers if you maintain real security, but being “attested” or “certified” as compliant won’t save you.
Myth 7. I’ll just outsource PCI and never worry about compliance.
While you can hire third parties to help you with compliance, it’s still your responsibility to become PCI compliant. The merchant always holds the responsibility for PCI compliance, especially if they are hacked.
Even if you use a PCI compliance vendor like SecurityMetrics, you are still in charge of making sure security requirements are put into practice at your organization.
SEE ALSO: Free PCI Compliance Demo
Myth 8. PCI is so easy! All we have to do is say yes!
PCI compliance isn’t just saying yes to all the Self-Assessment Questionnaire questions, even though I strongly suspect many merchants apply this method when going through PCI compliance. You must do all the requirements in PCI, take the SAQ, scan your systems (if appropriate) and be able to prove it!
If your SAQ asks if you have a firewall in place with inbound and outbound traffic restricted to only that which is necessary for the cardholder data environment; are you just answering yes, or is your firewall configured to actually restrict the appropriate traffic?
Anyone can fill out their SAQ with "yes" checkboxes, but that won't actually make them compliant unless they’re actually doing everything they’ve checked "yes" to. Lying by checking “yes” when you know you’re compliant can open you to penalties, including loss of credit card privileges.
Myth 9. I passed my vulnerability scan, so I’m compliant.
PCI security standards compliance is more than an SAQ or vulnerability scan(s). Depending on your organization and the way you process credit cards, you may be required to attest to more or less PCI requirements.
Myth 10. PCI is too hard and confusing.
Yes, PCI is hard, but not too hard. PCI is basic common sense baseline security. If PCI was easy, it wouldn’t be doing anything to protect you from malicious attackers looking to steal your credit card data.
If you find the PCI requirements too difficult to understand, hire an IT and security professional to help you, or consult with your PCI security vendor.
ConclusionWhining is much easier than securing. That’s why these myths are so popular. It’s easier to make excuses than actually start securing your data. Your goal and mindset shouldn’t be “passing PCI compliance with as little work as possible.” It should be “being secure through PCI compliance, whatever it takes.”
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.