PCI compliance myths

Understanding the complex world of PCI compliance is a challenging task, especially if you’re a small business owner whose area of expertise isn’t based in the technology and security space.

There is a lot of information, and misinformation, surrounding Payment Card Industry Data Security Standard (PCI DSS), which can be confusing for people who haven’t had experience with the compliance requirements before. You may have heard about PCI from your payments gateway, or from your business owner friend, or perhaps you’ve done your research and know that there’s a questionnaire you should be filling out.

While PCI compliance might seem tricky or overwhelming on first glance, with good guidance and tools (which you have through the MTI program) it can be a simple process to be compliant and protect your business from the threat of cyberattacks.

For a complete breakdown of what you need to do to meet the PCI DSS requirements for your business see our business security solutions. But if you’ve been hearing some mixed information that’s left you in doubt about whether or not you need to be PCI compliant, here are some of the top misunderstandings around PCI DSS compliance and the information to set you on the right track.

  • I’m a small business with only a few card paying customers, I don’t need to worry about PCI DSS compliance

No matter how big or small your business is, PCI DSS compliance applies to every business that processes, stores or transmits credit card data. Unless you only process card payments using a stand-alone eftpos terminal for face-to-face transactions, you have a responsibility to be compliant with the PCI DSS requirements. It only takes one data breach for you to be fined for not protecting your customer’s credit card details.

  • Outsourcing card processing makes my business compliant

The obligation to be able to show PCI DSS compliance is with you, the merchant.  You can use PCI DSS compliant third parties like eWAY to manage aspects of your card processing, but there are still many touch points on your business’ end that require you to implement PCI DSS compliance best practices. Ensuring every touchpoint meets the PCI DSS (Data Security Standard) means you’re doing your part in preventing cyberattacks and the huge implications (link to cost of cybercrime article) an attack can have on your business.

  • I don’t need to follow ALL of the PCI DSS requirements

PCI DSS compliance isn’t a pick and choose deal. In order to be PCI DSS compliant you are required to meet all 12 of the PCI DSS requirements. All of the criteria compose the basic security measures every business should have in place to protect both their customers and themselves from data breaches.

  • I’ve never had a breach so I don’t need to worry about PCI DSS

You might have heard that PCI DSS compliance only needs to be done if you’ve experienced a breach in your security. This isn’t true, although following a breach your acquirer may force you to undergo a security remediation program and have your PCI-DSS compliance audited.  You need to be PCI DSS compliant whether or not you’ve had a data breach. PCI DSS security requirements will help prevent data breaches, and probably save your business. Prevention is much better than cure.

  • PCI DSS compliance is only for businesses that store credit card information on their computers

Any business that processes credit card information, which includes capturing it in paper or electronic form, transmitting to another organisation, or stores it, must be PCI-DSS complaint.   There are many touch points in your business that can come into contact with credit card data and therefore need to be PCI DSS compliant. You might process payments over the phone, receive credit card data via emails or store physical records of payment details in your office. All areas in your business need to comply with the PCI DSS requirements so make sure you’ve read and understood all the different touch points.

  • All I have to do is answer yes to everything on the Self-Assessment Questionnaire

The self-assessment questionnaire involves answering a lot of detailed questions around how you manage credit card details and the security of your business. This is to get an accurate understanding of your business’ processes around credit card data. However, just answering ‘yes’ to every question does not make you and your business compliant. Answering the questions honestly means that you will be prompted to take the right security measures for your business so that you will be truly PCI DSS compliant. Answering all questions ‘yes’ even if this is not the true answer means you will be leaving your customers and yourself vulnerable to a data hack.

  • Our developers said our website is PCI DSS compliant

While parts of your website may indeed be PCI DSS compliant, it is your responsibility to ensure every area of your business is PCI DSS compliant. There are many other touchpoints your business may have with credit card data you may not be aware of. If a data breach does occur you will be the one held responsible for the breach and the repercussions will land with you.

If you only process payments through your website, there are still two requirements you need to meet: 

  • Ensure that your web page is hosted securely, and regularly patched and scanned for vulnerabilities
    • your MTI subscription includes a vulnerability scanner
  • Complete the Self-Assessment Questionnaire (SAQ-A or SAQ-A-EP)
    • use the Trustkeeper assessment tool selecting [eWAY | Web Active Corporation] as your payment provide and “I fully outsource my payment processing”
  • PCI DSS compliance is expensive

The idea that you might have to hire a specialist to help you with your PCI DSS compliance is incorrect. Business owners enrolled in our Merchant Trust Initiative (MTI) program are given the tools and help they need to fulfil all of their PCI DSS compliance responsibilities. If you’re feeling overwhelmed or in need of assistance with meeting your PCI DSS compliance requirements or in conducting the PCI DSS Self-Assessment Questionnaire, give us a call on 1300 763 256 or send an email to our team who can assist you with all your PCI DSS compliance needs.