(Source: PCI Security Standards Council – PCI SSC)
Myth: I’m a small merchant who only takes a handful of cards, so I don’t need PCI.
Fact: This is a common misunderstanding with PCI Compliance, that small merchants handling only one or a few credit cards a year are exempt from compliance. If you are a merchant and are set up to take credit/debit cards by any mechanism – then you need to be compliant.
Myth: PCI only applies to e-commerce companies.
Fact: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.
Myth: You only have to be PCI compliant with the majority of criteria.
Fact: The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not PCI compliant. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It’s just good business.
Myth: As a merchant, I did not sign anything saying I would be compliant, therefore, I don’t need to be.
Fact: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.
Myth: PCI compliance is an IT project.
Fact: Certain aspects of PCI Compliance will require technical and operational input, but compliance is much more than a ‘project’ with a beginning and an end – it’s an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team.