PCI Data Security Standard Myths

As with many things in popular culture, the PCI Data Security Standard (PCI DSS) has many myths associated with it.  The PCI DSS has existed for many years and despite the efforts of the PCI Security Standards Council (PCI SSC) and industry experts, many misconceptions and myths persist.  Below we will cover some common PCI DSS myths vs. the reality.

PCI Myths

Written By: MegaplanIT Compliance Team

Blogs & Informational News

Thursday, May 26th 2022 / 9:30am MT

The PCI DSS only applies to larger companies.

The PCI DSS is applicable to all entities that store, process, or transmit cardholder data.  The relative size of a company is irrelevant in the determination of applicability for the PCI DSS.  All entities in PCI DSS scope are obligated to establish and maintain compliance with all applicable requirements 24/7/365.  All business processes involving payment card transactions (card-present and card-not-present) are in scope for the PCI DSS even if the number of transactions is low.  The PCI SSC does offer smaller or lower transaction volume entities the option of performing self-assessments, but these entities are still held to the same standard as larger enterprises for meeting applicable PCI DSS requirements.  Additionally, the PCI SSC offers some reduced scope self-assessment opportunities based on technologies that are in use such as the Point to Point Encryption Self Assessment Questionnaire (SAQ).

We don’t process payment transactions, so PCI cannot be applicable to us.

The PCI DSS is applicable to any entity that stores, processes, or transmits cardholder data regardless of the business purpose.  Many forms of service provider organizations handle cardholder data on behalf of their customers without being directly or even indirectly involved in payment transactions.  Furthermore, service provider organizations may provide services that assist customers in meeting specific PCI requirements or that may impact the security of their customers’ cardholder data environments.  In both of these cases, the service provider organization would be considered a PCI service provider.  Service provider organizations and their customers must determine which PCI DSS requirements are applicable to each entity and ensure that the combined coverage of PCI DSS requirements is sufficient for all applicable requirements.  Typically, a PCI DSS responsibility matrix is created to assign specific requirements to each entity.

No one is asking us to prove our PCI DSS compliance, so PCI is not applicable to us.

Although it is possible for an organization to operate with business processes related to payment card transactions or in the capacity of a PCI service provider without being asked to prove their compliance status, this does not mean that the organization is not required to maintain full compliance with the PCI DSS.  Newer merchant organizations may have a grace period with their acquiring banks to provide official validation of their PCI compliance status, but eventually every merchant organization will be required to attest to its compliance status.  Service provider organizations that store, process, or transmit cardholder data, provide services to customers that support PCI requirements, or can impact the security of the cardholder data environments of their customers’ in some way, must achieve and maintain compliance with all applicable PCI DSS requirements.  Customers of PCI service providers are reliant on the compliance status of their providers to achieve their own compliance status.

But we are a bank, so the PCI DSS is not applicable to us.

The PCI DSS is applicable to all entities that store, process, or transmit cardholder data regardless of the business type or sector.  Financial institutions may have unique compliance challenges related to the support and handling of cardholder data, but there are no exclusions to the applicability of the PCI DSS for financial institutions such as banks, credit unions, or brokerage firms.  Service provider entities must achieve and maintain compliance with the PCI DSS in order to allow their partners to also achieve compliance.

We have many security devices and controls in place that will prevent any potential data breaches, so PCI is not applicable to us.

There are no “easy buttons” for PCI compliance and the use of the best in class security devices and services will not insulate an organization from the need to achieve and maintain compliance with the PCI DSS.  However, there can be opportunities for leveraging certain types of technologies and configurations that can reduce the scope of PCI within an organization.  Additionally, there can be opportunities for PCI scope reduction through the use of PCI compliant services.  The PCI experts at MegaplanIT can advise and guide organizations through PCI scoping and PCI scope reduction exercises to ensure that they can get the most value out of the security solutions already deployed as well as reducing risks to their business.

We can just ignore the PCI DSS because it is optional.

Like death and taxes, you can only deny the reality of your PCI DSS applicability for so long when storing, processing, or transmitting of the cardholder is involved.  Merchant organizations will be required to provide a PCI Attestation of Compliance (PCI AOC) to their acquiring bank(s) and where this cannot be done timely, the organization risks fines, higher transaction rates, or even the loss of the privilege to process payment card transactions.  Service provider organizations will be prompted by their partners for a PCI AOC that covers the appliable requirements for their services and where this cannot be done, they may lose customers or find themselves in violation of terms and conditions that they maintain with their customers.  The payment card brands may also reserve the right to levy fines against service provider operations or to limit access to some payment card brand networks and services.  In addition to the business risks associated with not being able to provide a PCI AOC to acquiring banks or partners, non-compliance with the PCI DSS could lead to a data breach of cardholder data with serious financial and legal consequences.

At MegaplanIT, We Know PCI.

PCI merchant and service provider organizations must take proactive steps to understand their PCI scope and then must take proactive steps to achieve, validate, and attest to their PCI DSS compliance. Our PCI-DSS Plus program is an all-in-one solution for PCI-DSS compliance that was designed to address these particular concerns. Our bundled compliance solution takes a streamlined approach, both on and off-site, to get your business ready for your next assessment and keep you compliant all year long. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Additional Blog Reading

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

Industry Leading Certified Experts

Subscribe

Subscribe To Our Newsletter & Stay Up-To-Date

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Request A Call Back