There are many PCI compliance myths floating around in the online retail industry. It is an easy subject to find, but a difficult one to navigate. Here is the reality: if your business accepts credit cards, your transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of standards that applies to any company that accepts, processes, stores or transmits credit card data. Whether your business is done online, at a physical location, or a combination of both, the PCI council is interested in how well you secure this data.
Many myths and misconceptions surround this set of standards. Being able to separate myth from reality can help you as an entrepreneur ensure that you remain in compliance and that sensitive customer data is always protected.
However, failing to comply with PCI standards exposes businesses to a loss of customer trust, hefty fines from credit card companies, financial damages due to data breaches, and potential lawsuits.
The general mystery surrounding PCI has allowed several myths about PCI compliance to spread throughout the industry. In their rush to simplify the process, poorly trained sales agents and uninformed merchants alike have unknowingly passed along misinformation about PCI compliance, and in doing so have made a complicated regulatory framework even harder to understand. To help you sort through what is fact and what is fiction, we’ve gathered the following list of common myths about PCI compliance.
1. It’s only for certain types of businesses: Have you been told that PCI DSS regulations do not apply to small businesses or businesses that process only a handful of cards a year? Have you heard that compliance standards do not include those that are not yet big enough businesses for the PCI Security Standards Council (PCI SSC) to notice them? If so, it’s critical to be aware those statements are false.
Those are common misconceptions. While you may not be required to submit a compliance report to the PCI SSC, they suggest you use a Self-Assessment Questionnaire to determine if you are in compliance. If you have a security breach and are not in compliance, ignorance will not excuse you from the consequences, including hefty fines and reputational harm.
2. You only need to be compliant in certain areas: The pass rate for PCI compliance is 100%. Even if you only fail in one area, you fail completely.
Complying with PCI DSS is essentially the bare minimum that your organization should be undertaking to ensure the safety of your customers’ data. Organizations need to meet 100% of the criteria to be in compliance. Even then, full compliance does not necessarily mean your systems or data are completely secure. Just remember, should your company fail a PCI audit, you could lose the ability to process any credit card transactions at all. That consequence alone is something few businesses can survive, especially those that are online retailers.
3. Debit card data is exempt: Wrong. Since debit cards are often processed on credit card systems and are issued by the same banks and credit card providers, they fall under the rules of the PCI DSS. The same protections exist for debit card information as credit card data.
4. I’m too small for cybercriminals to take an interest. Unfortunately, no one is too big or small for a fraudulent attack. In fact, 21% of SMBs experienced payment fraud during the first year of operations, and another 51% within the two years of opening doors.
5. Outsourcing PCI Compliance Removes Responsibility: Many merchants choose to outsource PCI compliance to specialist third party providers, which can be a good strategy, particularly when they lack the necessary infrastructure and resources to attempt it in house.
You are still required to hold customer address data, process returns, and chargebacks. You also need to request compliance certificates from vendors annually to ensure PCI compliance.
Ivrnet is in the business of helping businesses achieve security compliance and ensuring they protect sensitive customer data. A leader in payment security, Ivrnet is a Level 1 PCI DSS certified Service Provider. Visit ivrnet.com to learn more, watch a webinar or request a demo of our Call Centre PCI compliant solutions for online and over the phone credit card payments.