Common PCI Compliance Myths (and Facts that Could Save You From Steep Fines)
The Payment Card Industry Data Security Standards, more commonly known as PCI DSS, affect any organization that stores, processes or transmits credit card holder data. Comprising 12 operational and architectural high-level areas, the DSS remains widely misunderstood by organizations and merchants of all sizes.
Based on a decade of experience helping clients design and maintain compliant hosting environments, here are a few of the top PCI myths we’ve encountered, as well as the reality underlying each.
Myth: “PCI is only for large merchants, so we don’t have to worry.”
If you are a merchant that accepts, stores or processes credit cards, regardless of the mechanism, you need to follow PCI DSS. The PCI Security Standards Council divides merchants into four different levels.
Large, Level 1 merchants (more than 6 million annual transactions) require a certified auditor to verify adherence across all 12 standards, as well as regular network scans. If you’re a smaller merchant (Levels 1-3) you must complete an annual self-assessment questionnaire (SAQ) and undergo approved network security scans.
Myth: “My hosting provider is PCI compliant, so I am PCI compliant.”
Relying on a trusted hosting provider to help you execute portions of the DSS is an excellent idea. But be careful. The transitive property does not apply to PCI. If your provider, or any vendor for that matter, touts their own PCI Compliance, it does not inherently make you compliant. It simply means that your hosting provider has security policies in place to protect credit cards in their own billing system.
For example, requirement 6.5b states: “Examine records of training to verify that software developers receive up-to-date training on secure coding techniques at least annually, including how to avoid common coding vulnerabilities.” Unless our development team is secretly inviting customers to internal training sessions (which who knows, they’re pretty great people and teachers), our customer’s coders are not covered under PCI because they host with SingleHop.
So where can your hosting provider help you? Ideally, with both architecture and ongoing managed security operations. For instance, a SingleHop Hosted Private Cloud, backed by Shield Plus PCI, accounts for significant portions of the DSS (standards 1, 5, 6, 9, 10, 11, and 12), covering everything from firewall configuration and application security to monitoring and network testing. Download our handy reference guide below for more information.
Myth: “Outsourcing card processing makes us compliant.”
Similar to the above answer, outsourcing can greatly simplify the compliance project, and can satisfy many standards; it does not, however, automatically provide universal compliance. Assuming otherwise can open you up to major blind spots. For instance, do you also accept payment over the phone or store credit card holder data in any other capacity? If so, you’ll need to consult PCI standard 3 and pay close attention to your internal procedures.
Myth: “I’ve already got Web Application Firewalls (WAFs) and an SSL. My application security and infrastructure is covered.”
That’s a great start, but doesn’t cover everything. Check out our reference architecture for a Dedicated Private Cloud with Shield Plus Compliance here. Isolating your cardholder data environment in a protected network separate from your e-commerce site and ensuring that inspection technologies such as intrusion detection, vulnerability scanners, and log managers are connected to the environment are both essential elements of fully compliant architectures.
Myth: “I achieved 90% of the DSS. I passed!”
No you didn’t. Your mother may be very, very proud, but your bank frankly doesn’t care about anything less than 100%. In my opinion, this is far from an overly rigid benchmark set by the Security Standards Council. After all, missing a single PCI control can be exploited by a hacker and lead to a breach of sensitive data.
Myth: “Okay, now I’m 100% PCI Compliant. See you next year!”
Viewing PCI DSS like your annual physical misses the point. The data security standards lay out a process for constant enforcement and adherence. If you’re not testing and exhibiting diligence on a daily basis, your company is, by definition, not PCI compliant. It’s common for companies to fall behind on rigid standards like daily log inspection (DSS 10.6.1). In that case, make sure you are lining up the resources and tools to get the job done, even if that means tagging in a third party.
Myth: “Credit card companies can fine me if they find out I’m not in compliance.”
While it’s true that PCI DSS represents the major payment card brands and is governed by the independent Security Standards Council, it’s actually your acquiring bank (the folks that enable you to process credit cards) that levy fines and wield the authority. However, those fines will most likely only be issued if you suffer a data breach and are found to be out of compliance. The goal is that by closely following the DSS, you’ll never have to cross that bridge.
Myth: “I don’t process, store or transmit credit card holder data, so the PCI DSS is of little use to me.”
While a seemingly logical position, SingleHop engineers cordially do not endorse this viewpoint. Even if you’re not mandated to follow PCI, it’s very much worth getting acquainted with the standards. Consider it a list of best practices that provide a basic security framework designed to safeguard any business operating in the digital age. In fact, you could easily use the DSS as a template for creating a high-level security policy around any type of sensitive data that needs protection. Need to lock down patient health information or student records? Simply replace mentions of credit card information (primary account number, cardholder name, etc) with relevant HIPAA or FIRPA information (SSAN, patient name/student name, etc.). Just doing that gives you a security policy that would rank well above average.
Want to learn more about PCI DSS compliant architecture? Download the guide below.
Leave a Comment