The PCI DSS only applies to larger companies.
The PCI DSS is applicable to all entities that store, process, or transmit cardholder data. The relative size of a company is irrelevant in the determination of applicability for the PCI DSS. All entities in PCI DSS scope are obligated to establish and maintain compliance with all applicable requirements 24/7/365. All business processes involving payment card transactions (card-present and card-not-present) are in scope for the PCI DSS even if the number of transactions is low. The PCI SSC does offer smaller or lower transaction volume entities the option of performing self-assessments, but these entities are still held to the same standard as larger enterprises for meeting applicable PCI DSS requirements. Additionally, the PCI SSC offers some reduced scope self-assessment opportunities based on technologies that are in use such as the Point to Point Encryption Self Assessment Questionnaire (SAQ).
We don’t process payment transactions, so PCI cannot be applicable to us.
The PCI DSS is applicable to any entity that stores, processes, or transmits cardholder data regardless of the business purpose. Many forms of service provider organizations handle cardholder data on behalf of their customers without being directly or even indirectly involved in payment transactions. Furthermore, service provider organizations may provide services that assist customers in meeting specific PCI requirements or that may impact the security of their customers’ cardholder data environments. In both of these cases, the service provider organization would be considered a PCI service provider. Service provider organizations and their customers must determine which PCI DSS requirements are applicable to each entity and ensure that the combined coverage of PCI DSS requirements is sufficient for all applicable requirements. Typically, a PCI DSS responsibility matrix is created to assign specific requirements to each entity.
No one is asking us to prove our PCI DSS compliance, so PCI is not applicable to us.
Although it is possible for an organization to operate with business processes related to payment card transactions or in the capacity of a PCI service provider without being asked to prove their compliance status, this does not mean that the organization is not required to maintain full compliance with the PCI DSS. Newer merchant organizations may have a grace period with their acquiring banks to provide official validation of their PCI compliance status, but eventually every merchant organization will be required to attest to its compliance status. Service provider organizations that store, process, or transmit cardholder data, provide services to customers that support PCI requirements, or can impact the security of the cardholder data environments of their customers’ in some way, must achieve and maintain compliance with all applicable PCI DSS requirements. Customers of PCI service providers are reliant on the compliance status of their providers to achieve their own compliance status.
But we are a bank, so the PCI DSS is not applicable to us.
The PCI DSS is applicable to all entities that store, process, or transmit cardholder data regardless of the business type or sector. Financial institutions may have unique compliance challenges related to the support and handling of cardholder data, but there are no exclusions to the applicability of the PCI DSS for financial institutions such as banks, credit unions, or brokerage firms. Service provider entities must achieve and maintain compliance with the PCI DSS in order to allow their partners to also achieve compliance.
We have many security devices and controls in place that will prevent any potential data breaches, so PCI is not applicable to us.
There are no “easy buttons” for PCI compliance and the use of the best in class security devices and services will not insulate an organization from the need to achieve and maintain compliance with the PCI DSS. However, there can be opportunities for leveraging certain types of technologies and configurations that can reduce the scope of PCI within an organization. Additionally, there can be opportunities for PCI scope reduction through the use of PCI compliant services. The PCI experts at MegaplanIT can advise and guide organizations through PCI scoping and PCI scope reduction exercises to ensure that they can get the most value out of the security solutions already deployed as well as reducing risks to their business.
We can just ignore the PCI DSS because it is optional.
Like death and taxes, you can only deny the reality of your PCI DSS applicability for so long when storing, processing, or transmitting of the cardholder is involved. Merchant organizations will be required to provide a PCI Attestation of Compliance (PCI AOC) to their acquiring bank(s) and where this cannot be done timely, the organization risks fines, higher transaction rates, or even the loss of the privilege to process payment card transactions. Service provider organizations will be prompted by their partners for a PCI AOC that covers the appliable requirements for their services and where this cannot be done, they may lose customers or find themselves in violation of terms and conditions that they maintain with their customers. The payment card brands may also reserve the right to levy fines against service provider operations or to limit access to some payment card brand networks and services. In addition to the business risks associated with not being able to provide a PCI AOC to acquiring banks or partners, non-compliance with the PCI DSS could lead to a data breach of cardholder data with serious financial and legal consequences.
At MegaplanIT, We Know PCI.
PCI merchant and service provider organizations must take proactive steps to understand their PCI scope and then must take proactive steps to achieve, validate, and attest to their PCI DSS compliance. Our PCI-DSS Plus program is an all-in-one solution for PCI-DSS compliance that was designed to address these particular concerns. Our bundled compliance solution takes a streamlined approach, both on and off-site, to get your business ready for your next assessment and keep you compliant all year long. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
