Wednesday, October 22, 2014

Three Common PCI Misperceptions

With all the negative publicity this year surrounding major-league retailers and their staggering credit card information breaches, it’s no surprise the question of PCI compliance has moved to the front of many a CISO’s minds. And while the PCI Data Security Standard (PCI DSS) has steadily evolved to meet emerging security concerns (currently in its 3rd major revision) many security professionals either eschew the standard altogether or have misconceptions about some of the key tenants of the PCI standard.  Here’s a quick look at three top PCI misconceptions:
#1 -- Since I don't store credit card information, I don't have to worry about being PCI compliant.
The PCI DSS does not just apply to the storage of credit card data but also to the handling of data while it is processed or transmitted over networks, phone lines, faxes, etc.  While not storing credit card data does eliminate some compliance requirements the majority of the controls dictated by the DSS remain in effect. The only way to avoid PCI compliance is to transfer the risk entirely to someone else, such as PayPal's Website Payments Standard service where customers interact with the PayPal software directly and credit card information never traverses your own servers.

#2 -- I don't process a large number of credit cards (e.g., too small, only level 3, only level 4), so I don't have to be compliant
While merchants processing less than 20,000 total transactions a year are generally not required to seek compliance validation, the obligation for PCI compliance is still there, as are the consequences if the data your store or process is compromised. For merchants processing between 20,000 and 1 million total transactions -- a large majority of small businesses -- the requirement to fill out a self-assessment questionnaire, or “SAQ”, means that many if not all of the full PCI DSS requirements must be met and attested to.


#3 -- We’ve just made it through a PCI audit and received our ROC (Report on Compliance)—we’re good to go until next year!
Whether it’s a Report on Compliance or a recently completed SAQ (for those organizations not processing enough transactions to require a full-blown ROC), this is simply a point-in-time indication of your compliance with the PCI standard. Keep in mind however failure to comply continually with the PCI requirements will result in liability should your organization experience a breach.