Unfortunately, there is a lot of information around when it comes to PCI Compliance, which leads to merchants making mistakes without even realising it, and these mistakes can often be very costly. But, there is no need to panic, as we have put together a list of all of the common myths so that you can decipher the facts from the falsities.
Many people have a tendency to assume that you only need to be concerned with PCI compliance if you have an e-store or run any other type of e-commerce based business. However, this is not the case. PCI is applicable for any merchant that processes, stores or transmits cardholder details. So, if you use a POS device and you take card transactions, you need to be concerned with PCI compliance.
This is another myth, as PCI applies to anyone that takes cardholder information, irrespective of how many credit cards you handle and how frequently you do so. No one is exempt from compliance, even small merchants. A lot of business owners also think they can simply wait until their business grows. Again, this is false, and waiting could prove to be extremely costly.
This is not the case. While you are not advised to go for the cheapest solution you can find, you certainly don’t have to break the bank to achieve PCI. Moreover, you will cost yourself a lot more money if you ignore your responsibility to be compliant. At Retail Secure, we have designed our solution to ensure cost efficiency, especially for small merchants who do not have the large sums of money to invest in security solutions as large companies do.
PCI applies to every business that transmits, processes or stores cardholder information – there are no exemptions.
Debit card data needs to be protected in the exact same way that credit card data is under PCI.
Many merchants simply put PCI to the back of their mind because they deem it too complex and difficult. When you first come across the requirements of PCI DSS, you may feel a bit overwhelmed and it can seem like a daunting process, especially if you do not have a substantial security department. However, it’s not as tough as it seems, and that’s where Retail Secure can assist, as we can handle PCI compliance for you so that you have nothing to worry about – you can continue doing what you are doing. It is vital to recognise that the requirements set out by PCI are steps that you should really be taking yourself anyway if you want to protect your business, and thus failure to do so will be extremely costly and much more difficult to come back from in any case.
This is another myth, as you need to achieve a pass mark of 100 per cent to achieve PCI compliance. There is no margin for error. You are failing to meet a basic standard for handling cardholder details if you don’t achieve one of the requirements, so you need to strive to attain them all.
This is one of the most costly myths floating around. Say you were to answer ‘yes’ to all questions, despite the fact that you have not carried out what is required of you. What if there was a breach at your business? It would be extremely obvious that you had lied on the Self-Assessment Questionnaire, which would put you in even deeper trouble. Not only have you compromised your customers, but also you have done so knowingly, and the consequences would be very severe. This is something most businesses cannot come back from.
Compliance is a continual process, as the threat of a security breach grows by the day, and one change at your business can impact your compliant status. Thus, to truly be compliant, this is something you need to work on all of the time.
In fact, this is the opposite; if your business experiences a data breach, then you will find that fewer customers remain loyal. Technology has advanced rapidly over the years, and there is no reason why compliance should have a negative impact on customer experience. You can still put customers first even when removing financial and personal data from certain environments.
This is not true; there is no requirement to do so. However, there are a lot of companies, especially large ones, who do hire a QSA, as this is the easiest and most effective approach for them. On the other hand, smaller merchants use the Self-Assessment Questionnaire.
While this may seem like a lot of hassle, PCI is designed to protect your business. The steps you are taking are going to reduce the chance of your company being exposed to a data breach, and thus PCI is far from the enemy.
A lot of business owners assume they are compliant because they outsource card processing. Unfortunately, this is another myth, as you still deal with data at some point, i.e. when you process a refund or even when you receive the details. Moreover, you need to be certain that the company you outsource card processing to is compliant too.
This is one of the most common myths that are floating around. In fact, this is a violation of the standards that are set out by PCI DSS. It can also be a violation of the privacy rules that are in place in regards to the likes of national legislation. In particular, you are forbidden from storing any of the following – track 1 or 2 data, pin numbers, pin blocks, CVV or CVV2 and unencrypted credit card numbers.
It is, of course, crucial to ensure that shopping carts, gateways and terminals are compliant, so you’re half way there. However, this does not mean that you are compliant from a physical standpoint, which is why you are yet to achieve PCI compliance.
If you wait until your bank informs you, not only will they tell you that you need to change your security practises, but you will face a hefty fine too. There is no time to wait.
A lot of people believe that once they implement the right set of technological features, such as anti-virus protection and encryption, they are compliant. However, compliance is an on-going process, and thus this is not the case.