The information below was excerpted from the PCI Security Standards Council article of the same name. It can be found at https://www.pcisecuritystandards.org/documents/
PCI DSS specifies 12 requirements entailing many security technologies and business processes, and reflects most of the usual best practices for securing sensitive information. The resulting scope is comprehensive and may seem daunting – especially for smaller merchants who have no existing security processes or IT professionals to help guide them through what is required and what is not. As a result, retailers who are new to security may harbor myths about the PCI DSS.
Myth 1 – One vendor and product will make us compliant. Regretfully, no single vendor or product, fully addresses all 12 requirements of PCI DSS. Instead of relying on a single product or vendor, merchants, service providers and processors should implement a holistic security strategy that focuses on the “big picture” related to the intent of PCI DSS requirements
Myth 2 – Outsourcing card processing makes us compliant. Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing, as well as the other requirements of the PCI DSS 3.x standard
Myth 3 – PCI DSS compliance is an IT project. The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is an ongoing process of assessment, remediation and reporting.
Myth 4 – PCI DSS will make us secure. Successful completion of a system scan or PCI DSS assessment is but a snapshot in time. PCI DSS compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.
Myth 5 – PCI DSS is unreasonable; it requires too much. Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option of using compensating controls to meet most requirements. The standard provides significant detail, which benefits merchants and processors by not leaving them to wonder, “Where do I go from here?”
Myth 6 – PCI DSS requires us to hire a Qualified Security Assessor. This is not true, particularly for smaller merchants. Smaller merchants may be eligible to self-assess their compliance and validate using the Self-Assessment Questionnaire (SAQ) found on the PCI SSC web site..
Myth 7 – We don’t take enough credit cards to be compliant. PCI DSS compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one.
Myth 8 – We completed a SAQ so we’re compliant. SAQs are validation tools for eligible merchants and service providers to report that they have evaluated their PCI DSS compliance through a self-assessment. It represents a snapshot of the particular moment in time when the SAQ and associated vulnerability scan was performed. True security of cardholder data requires non-stop assessment and remediation to ensure that the likelihood of a breach is kept as low as possible.
Myth 9 – PCI DSS makes us store cardholder data. Both PCI DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors. If merchants or processors have a business reason to store front-of-card information, PCI DSS requires this data to be protected, and the PAN to be encrypted or otherwise made unreadable
Myth 10 – PCI DSS is too hard. When people say PCI DSS is too hard, many really mean to say compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS.
Posted 2019-05-04.