Top PCI Compliance Myths Debunked

PCI Compliance is an industry regulation that we hear about all the time, yet there remains a significant amount of confusion around what is required, who needs to be compliant, and how to go about becoming PCI compliant. Couple this with the fact that regulations change frequently and the attention that PCI compliance receives due to high profile breaches and the confusion only increases. 

In short, any organization that accepts credit cards and debit cards as a form of payment, whether that is in person or through the internet, needs to be PCI compliant. However, there are many myths that surround PCI Compliance so in no particular order, here is a brief list of some of those myths:

• I'm too small to need to be PCI compliant - This is false as any merchant that accepts credit or debit cards as a form of payment needs to be PCI compliant. Whether you accept 1 or 1,000,000 credit cards, you must be compliant!
• I can wait till my bank tells me to comply - This is also false. The time to be compliant has passed and by waiting, not only are you subjecting yourself to potential breaches, you are also putting yourself in the position of having to "rush" through becoming compliant which can be dangerous.
• Outsourcing card processing is all I need - This is not true. While outsourcing credit card processing limits your scope, it does not absolve you of all responsibility. You must still follow PCI DSS guidelines to ensure that your portion of the transaction is secure.
• PCI Compliance is for IT only - Not true. In most organizations, credit card data flows throughout the organization to other departments such as customer service, sales, and finance. Taking a holistic approach throughout the organization is a best practice that should be implemented.
• PCI Compliance is hard - PCI compliance can be challenging for an organization to go through, especially the first time. However, by implementing best security practices in your organization, you are in a better position to be compliant with the latest PCI DSS.

Depending on your organization, it may make sense to engage a Qualified Security Assessor (QSA) through the PCI Security Standards Council for assistance in becoming PCI Compliant. The bottom line though is that while complying with the PCI Data Security Standards might be challenging, the cost of non-compliance can be catastrophic to an organization, particulary if there is a breach of credit card data.

For assistance with becoming PCI compliant, download our free PCI Compliance Brochure below that will outline some of the services that Compass IT Compliance offers organizations of all sizes to assist with their compliance needs.