Ten Common Myths of PCI DSS

The information for this article was taken from data available from the PCI Security Standards Council.  It is shared on this website for your gratification.

Myth 1 –

One vendor and one product will make you compliant.

Check your valuables; this person is probably robbing you blind.  We are big on solutions at POS Plus, LLC., but the fact of this matter is, there is no one product that does it all.

Myth 2 –

Outsourcing card processing makes you compliant. WHOOP! WHOOP! Bells and whistles are making much noise!  Outsourcing does simplify payment card processing, but it does not address policies and procedures intended to protect cardholder information and data. You are also responsible for making sure that the contractors whom you hire to assure PCI compliance are themselves PCI compliant in the way in which they handle applications. You must also make certain that your suppliers do not store sensitive cardholder data. It wouldn’t be a bad idea to request a certificate of compliance from each of your providers.

Myth 3 –

PCI compliance is an IT project. PCI compliance is an ongoing process. What protected payment transactions and data yesterday will most likely do a woeful job of protection, today. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of failure in this arena are financial and reputational.  The risks affect everyone therefore, be sure that everyone knows how the policies and procedures should look and how they should sound in each department.

Myth 4 –

PCI will make us secure

Successful completion of a system scan or assessment for PCI is but a snapshot in time.

Security must be non-stop. Security must get stronger every day. You can bet your bottom dollar the hackers are getting stronger. You can take it to the bank that they will not take the day off which is why PCI compliance efforts must be a continuous process to ensure the safety of cardholder data.


Myth 5 –

PCI is unreasonable; it requires too much


Most aspects of the PCI DSS are already a common best practice for security. The standard so permits the option using compensating controls to meet some requirements. The standard provides significant detail, which benefits merchants and processors by not leaving them to wonder, “Where do I go from here?” This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information.


Myth 6 –

PCI requires us to hire a Qualified Security Assessor


Because most large merchants have complex IT environments, many hire a QSA to glean their specialized value for on-site security assessments required by PCI DSS. The QSA also makes it easier to get approval for a compensating control. However, PCI DSS provides the option of doing an internal assessment with an officer sign-off if your acquirer and/or merchant bank agrees. Mid-sized and smaller merchants may use the Self-Assessment Questionnaire found on the PCI SSC Web site to assess themselves.


Myth 7 –

We don’t take enough credit cards to be compliant


PCI compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one.



Myth 8 –

We completed an S a Q so we’re compliant

Technically, this is true for merchants who are not required to do on-site assessments for PCI DSS compliance – for that participant in an instant. True security of cardholder data requires non-stop assessment and remediation to ensure that likelihood of a breach is kept as low as possible.


Myth 9 –

PCI makes us store cardholder data


Both PCI DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors. There is no need, nor is it allowed, to store data from the magnetic stripe on the back of a payment card. If merchants or processors have a business reason to store front-card information, such as name and account number, PCI DSS requires this data to be encrypted or made otherwise unreadable.


Myth 10 –

PCI is too hard


Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without security or a large IT department. However, PCI DSS mostly calls for good, basic security. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyway to protect sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security – and PCI compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in stock equity, and especially lost business. Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.


© 2008 PCI Security Standards Council LLC. The intent of this document is to provide supplemental information, Which does not replace or supersede PCI SSC Security Standards or their supporting documents