There are many PCI DSS compliance myths floating around in the online retail industry. It is an easy subject to find, but a difficult one to navigate. Here is the reality: if your business accepts credit cards, your transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of standards that applies to any company that accepts, processes, stores or transmits credit card data. Whether your business is done online, at a physical location, or a combination of both, the PCI council is interested in how well you secure this data.
Compliance with the PCI DSS can be a technical and in-depth process. However, it is absolutely essential when it comes to protecting customer and employee data. The first rule of success in business is that your customers trust you, and that includes trusting you with their data.
The PCI Compliance Guide has identified a number of myths and misconceptions about PCI compliance for online businesses that we will look at a little more closely here.
Myth #1: I am a small merchant that does not process many transactions, so PCI DSS does not apply to me.
Have you been told that PCI DSS regulations do not apply to small businesses or businesses that process only a handful of cards a year? Have you heard that compliance standards do not include those that are not yet big enough businesses for the PCI Security Standards Council (PCI SSC) to notice them? If so, it’s critical to be aware those statements are false.
Those are common misconceptions. While you may not be required to submit a compliance report to the PCI SSC, they suggest you use a Self-Assessment Questionnaire to determine if you are in compliance. If you have a security breach and are not in compliance, ignorance will not excuse you from the consequences, including hefty fines and reputational harm.
Myth #2: If we meet the majority of the PCI Compliance criteria, we are fine.
Complying with PCI DSS is essentially the bare minimum that your organization should be undertaking to ensure the safety of your customers’ data. Organizations need to meet 100 percent of the criteria to be in compliance. Even then, full compliance does not necessarily mean your systems or data are completely secure. Just remember, should your company fail a PCI audit, you could lose the ability to process any credit card transactions at all. That consequence alone is something few businesses can survive, especially those that are online retailer.
PCI DSS has established itself as a tested framework for payment security with benefits that extend beyond the protection of cardholder data. In fact, 49 percent of organizations worldwide are leveraging PCI DSS compliance efforts to meet other security requirements, reported Verizon.
Myth #3: PCI DSS standards only apply to credit cards, not ATM/debit card data.
Since debit cards are often processed on credit card systems and are issued by the same banks and credit card providers, they fall under the rules of the PCI DSS. The same protections exist for debit card information as credit card data.
Myth #4: As a merchant, we never signed anything about PCI DSS compliance, so it does not apply to us.
When you applied for merchant status, whether it was through your bank, a third-party processor like PayPal or Square, or directly with a credit card service, you agreed to abide by the PCI standards. It is part of your contract. Abiding by these standards means that it is your responsibility to be compliant if you wish to continue accepting payment by credit card. If you have set up a merchant account that allows you to receive payments this way, then PCI DSS applies to you and your business.
Myth #5: As a merchant, we are allowed to store any data we want.
Many companies believe that the customers have given them this information, so therefore they have a right to store any and all data to help their business maintain efficiency. Unfortunately, storing certain types of information violates the PCI DSS and may also be a violation of State and Federal privacy laws. The PCI DSS regulations explicitly forbid storing of any of the following:
- Unencrypted credit card number(s)
- CVV or CVV2 – the 3- or 4-digit security code printed on the back of the card
- Pin blocks
- PIN numbers
- Track 1 or 2 data – the information stored in the magnetic strip or chip
Should an audit take place and any of these prohibited data are found in your databases, log files, audit trails, backups or other storage media, you will face serious consequences. If your system is identified as the place that a security breach has happened, causing the release of card users’ financial data, you will be subject to fines and can be held liable for losses that result from that. Additionally, companies can be blacklisted by banks and credit card providers and cut off from doing business with them.
Myth #6: My business is safe. We are using someone else for all of our credit card processing.
Many businesses wrongly believe that by outsourcing their card processing makes them compliant. This is one of the most common and most dangerous myths. Businesses believe the easiest way to avoid having to actively comply with PCI DSS regulations is to engage someone else to handle all of their e-commerce credit card processing. This is not the case. There are a few hidden pitfalls to avoid and best practices to ensure that you are not at risk when outsourcing card processing.
Outsourcing Best Practices to Avoid Compliance Risks
First and foremost, the PCI SSC considers it your responsibility to ensure that your payment card data transactions are secure from end-to-end. If you choose to outsource part or all of this to a third party, you need to be certain that their tools, processes, and platforms are also PCI compliant and secure.
Recent changes to the PCI DSS (v 3.2.1 issued May 2018) require more frequent testing by service providers to ensure compliance and security. Annual data segmentation testing is moving to be bi-annual (every six months), and penetration testing for security reasons should occur frequently and regularly. A good service provider should be able to deliver you with both the results of vulnerability testing on the web application that you are using and proof that they are PCI DSS compliant.
It is also relatively easy to fall out of compliance if your business assumes that outsourcing card processing and data to third parties covers anything in addition to the services outlined in the contract. For instance, if you have a secure shopping cart and a process provider that is PCI compliant, but you are taking orders over the phone, which means someone is inputting the data into that system from your location. That would throw you back into the compliance loop, as processing payments over the phone is done over insecure communications lines and gives access to data to people outside of the service provider’s scope.
PCI DSS Challenges to Avoid
Among the challenges of staying in compliance is keeping sensitive data like PCI DSS data segmented from other data. The customer information that relates to credit card information is not meant to reside on the same server as any of your other data.
Trying to save money on the front end could end up costing you more than you hoped to save in the long run, especially if you experience a data breach. The PCI Council has issued Payment Application DSS as well, and they are changing and updating those requirements as frequently as the PCI DSS. Your hosting provider must have rigorous security standards in place. If they do not, your organization runs the risk of having to redo an entire online retail site.
Working with a PCI compliant data center and hosting provider who also maintains a high level of security and constant testing will ensure that you are less vulnerable. With increasing incidents of cyber-attacks specifically designed to acquire credit card data and resell it on the dark web, PCI DSS compliance alone will not necessarily keep your data safe.
Myth #7: If we set it up right the first time, we are fine.
The PCI DSS compliance requirements change over time. The most recent version issued in May of 2018 was specifically updated to address the fact that this is not a one-time process or even an annual review, but an on-going one.
According to Troy Leach (CTO of PCI Security Council) “Analysis of recent cardholder data breaches and PCI DSS compliance trends reveal that many organizations view PCI DSS compliance as an annual exercise and do not have processes in place to ensure that PCI DSS security controls are continuously enforced. The process of adhering to PCI DSS requirements is what is meant to be PCI compliant.”
If your company does not have the resources or personnel to build and maintain a completely PCI compliant system, you are better off finding good partners with the proper tools and the resources to do this for you. But make sure that they, too, are constantly in a process of improving their own security.
These Are Only a Few of the Things to Consider…
As we mentioned at the beginning, PCI DSS compliance is complex and often difficult to navigate. With these seven common myths, we have only scratched the surface. If you gotten this far and are feeling like it is all a bit overwhelming, it may be time to hire some expert help. You are also not alone. For six years in a row, Verizon has reported a steady increase in compliance with the PCI DSS security standard for payment security. Unfortunately, it is a trend that has now changed course.
On September 25, 2018, Verizon released its 2018 Payment Security Report, revealing a drop in Payment Card Industry Data Security Standard compliance. In the 2018 report, 52.5 percent of organizations were compliant with PCI-DSS, declining from 55.4 percent that was reported last year.
Get the Facts with LightEdge’s World-Class PCI DSS Compliant Data Centers
As a top-tier colocation services provider, we provide a high level of availability and reliability through secure, certified data centers and dedicated staff onsite. Our customized and scalable services give you the control, whether you need a colocation rack, cage, or custom suite now or in the future.
Tracking and monitoring all access to network resources and cardholder data, including the regular testing of controls, systems, and processes is critical. Our colocation centers have a plan in place that tracks and monitors all access to network resources and cardholder data. Log files, system traces or any tool enabling the tracking of access to sensitive data is critical in preventing, detecting, or minimizing a data breach. The availability of logs enables tracking, alerting, and analysis when an intrusion occurs. LightEdge also regularly tests our security systems and processes
LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.
With geographically-dispersed facilities across all of the US power grids, our data centers are the heart of our operation and yours. We have a wide range of colocation and disaster recovery solutions delivering advanced shared infrastructure designed to enable operational and financial efficiency, reducing the burden on your IT staff.
Our LightEdge facilities are more advanced than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.
Customers turn to LightEdge to reduce risk of non-compliance, scale security, and for the predictably and cost-effectiveness. LightEdge provides customers with an extended team of experienced engineers and helps to focus resources on agility and differentiation. Are you curious how your current provider stacks up? Our security experts will provide a free security assessment to see how you measure up against the latest compliance and security standards. No risk, no commitment. Contact us today to get your free security assessment.
- PCI DSS Cloud Compliance: Your Guide to a Smooth Cloud Migration
- 6 Best Practices for Data Security in the Cloud Infographic
- Why the Cloud is Safer the CIOs Believe: 6 Best Practices for Data Security
- The Best of Both Worlds: Colocation and PCI DSS Compliance
- Ultimate Guide to a Highly Compliant Cloud Environment
- Cost of Ownership: Public vs Private Cloud Showdown
- Why Virtual Private Cloud Will Make You Reconsider Your Cloud Infrastructure
- What Every Business Needs to Know About Dedicated Private Cloud