5 Myths and Misconceptions about PCI Compliance
No one is ever going to argue that PCI compliance is something they enjoy. Most merchants are more likely to consider PCI requirements one of their biggest payment processing challenges. However, investing the time and effort needed to properly understand PCI requirements is worthwhile. It can protect your customers’ sensitive data, your relationships with them and the good standing of your credit card processing accounts.
There are a number of myths and misconceptions that plague merchants and credit card processing sales agents alike. As a result, many merchants make costly errors that could otherwise have been avoided. By familiarizing yourself with the most common myths, you can gain a better understanding of PCI compliance and its role in your business.
1. PCI Compliance Is Only Necessary if You Are a Big Business
Some merchants mistakenly believe that they don’t need to be PCI compliant because they don’t process many credit card sales. However, the truth is that there is no threshold for PCI compliance requirements. Even small and seasonal businesses need to maintain PCI compliance to protect their customers’ data.
PCI compliance, instead, is broken into four levels, with stronger requirements for those with larger numbers of sales. The levels are:
Merchants who process fewer than 20,000 Visa e-commerce transactions annually and all merchants processing up to one million brick and mortar transactions annually.
Merchants processing between 20,000 and one million Visa e-commerce transactions each year.
Merchants who process one to six million Visa e-commerce transactions each year across all channels.
Merchants who process more than six million Visa transactions, whether e-commerce, brick and mortar or other channels.
Levels 2 through 4 all have the same validation requirements. Once a year, they need to submit a Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance (AOC). Once a quarter, they need to conduct a network scan through an Approved Scan Vendor (ASV). Level 1 merchants need to do all of the above, plus also file a Report on Compliance performed by either an internal auditor or a Qualified Security Assessor four times a year. They’ll also need to conduct, if applicable, a quarterly network scan performed by an ASV.
2. PCI Compliance Is Mandated by Federal Law
Many people mistakenly believe that PCI compliance is a government regulation. However, the Payment Card Industry Data Security Standard is actually a standard created by credit card companies and enforced by banks, merchant service providers and card networks. No law enforcement entity is involved in PCI compliance at any level.
The processing industry has allowed this myth to persist for a few good reasons. First, when merchants believe that this is a system upheld by law, they are more likely to stay compliant. Additionally, they’re more likely to accept non-compliance fees when they believe that these are regulations that the card companies have no control over.
Just because the standards are not government mandated, however, doesn’t mean that there isn’t strong reasoning behind them. The fees were created as a way to dissuade merchants from behavior that could lead to data breaches. These breaches are costly for processors and highly detrimental to consumer trust.
3. If You Outsource Your Credit Card Processing, You Don’t Have to Worry about PCI Compliance
Many small businesses opt for non-traditional credit card processing options like Square or Clover because they want to avoid the costs and responsibilities that come with a traditional merchant account. Among those is PCI compliance.
However, this is not necessarily the case. Your payment processor may well offer software and hardware that are both PCI compliant. And, if you use these services, you may never be asked to complete tasks like Self Assessment Questionnaires. That does not mean that you are not bound by PCI compliance rules.
There are many factors in your own business that can lead to risks of breaches and failure to stay compliant. Operating without antivirus programs, allowing employees to share logins or storing credit card data improperly are all violations that can lead to costly fines for your business.
4. PCI Compliance Is Only for Businesses That Store CC Information
It makes a certain intuitive sense: if you aren’t storing data, you don’t need to worry about how that data is stored, right? However, this interpretation misses the fact that credit card data still needs to be processed or transmitted. You need to be concerned about how sensitive customer data is handled as it is transmitted over phone lines, faxes, networks and other conduits.
Businesses that do not store data are exempt from some compliance requirements. However, they will still need to comply with all requirements that affect how data is cared for while it is being collected and transmitted.
5. The PCI Data Security Standard Is Open to Interpretation
Many people who do not fully understand PCI compliance requirements mistakenly conclude that these requirements are vague and open to interpretation. This is incorrect. The PCI Data Standard is highly comprehensive; many consider it the most specific and comprehensive set of security controls ever created. The document outlining the requirements and procedures spans 73 pages, plus additional support documents available on the PCI Security Standards Council’s website. If you are having trouble understanding the requirements, it is best to bring in outside help from people who can help you learn what is needed and how to stay compliant.
You do not have to deal with the intricacies of PCI compliance alone. At I.S. Partners, LLC, we help you navigate this and other compliance issues to ensure that your business runs the way that it should. Launch a chat session, send us a message, or call us at (215) 675-1400 to discuss your compliance needs for PCI DSS and the GDPR.