With all the negative publicity this year surrounding
major-league retailers and their staggering credit card information breaches,
it’s no surprise the question of PCI compliance has moved to the front of many
a CISO’s minds. And while the PCI Data Security Standard (PCI DSS) has steadily
evolved to meet emerging security concerns (currently in its 3rd
major revision) many security professionals either eschew the standard
altogether or have misconceptions about some of the key tenants of the PCI
standard. Here’s a quick look at three
top PCI misconceptions:
#1 -- Since I don't store
credit card information, I don't have to worry about being PCI compliant.
The PCI DSS does not just apply to the storage of credit card data but also to
the handling of data while it is processed or transmitted over networks, phone
lines, faxes, etc. While not storing credit card data does eliminate some
compliance requirements the majority of the controls dictated by the DSS remain
in effect. The only way to avoid PCI compliance is to transfer the risk
entirely to someone else, such as PayPal's Website Payments Standard service
where customers interact with the PayPal software directly and credit card
information never traverses your own servers.
#2 -- I don't process a large
number of credit cards (e.g., too small, only level 3, only level 4), so I don't have
to be compliant
While merchants processing less than 20,000 total transactions a year are generally not required to seek compliance validation, the obligation for PCI compliance is still there, as are the consequences if the data your store or process is compromised. For merchants processing between 20,000 and 1 million total transactions -- a large majority of small businesses -- the requirement to fill out a self-assessment questionnaire, or “SAQ”, means that many if not all of the full PCI DSS requirements must be met and attested to.
While merchants processing less than 20,000 total transactions a year are generally not required to seek compliance validation, the obligation for PCI compliance is still there, as are the consequences if the data your store or process is compromised. For merchants processing between 20,000 and 1 million total transactions -- a large majority of small businesses -- the requirement to fill out a self-assessment questionnaire, or “SAQ”, means that many if not all of the full PCI DSS requirements must be met and attested to.
#3 -- We’ve just made it
through a PCI audit and received our ROC (Report on Compliance)—we’re good to
go until next year!
Whether it’s a Report on Compliance or a recently completed SAQ (for those organizations not processing enough transactions to require a full-blown ROC), this is simply a point-in-time indication of your compliance with the PCI standard. Keep in mind however failure to comply continually with the PCI requirements will result in liability should your organization experience a breach.
Whether it’s a Report on Compliance or a recently completed SAQ (for those organizations not processing enough transactions to require a full-blown ROC), this is simply a point-in-time indication of your compliance with the PCI standard. Keep in mind however failure to comply continually with the PCI requirements will result in liability should your organization experience a breach.
