Myth buster: 10 of the Most Common PCI DSS Myths Busted

The first version of the PCI DSS was published almost 20 years ago. Since then, many myths and misconceptions have arisen around the 12 requirements, describing how card data must be stored, processed, and transmitted. We dispel some of the most common ones.

10 PCI DSS myths explained

1. We don’t take enough card payments, PCI DSS doesn’t apply to us

Variations of this myth are that small merchants don’t need to be compliant. Or that small merchants don’t need to worry about PCI DSS until they start processing a certain number of card payments. 

There’s also confusion around the types of cards accepted. For some businesses, a payment card equals a credit card. They only accept debit or prepaid cards. Or they don’t accept AMEX cards, so they think – mistakenly – that PCI DSS doesn’t apply to them.

In fact, business size doesn’t matter. Nor is the number or nature of card payments accepted. Simply put: if your business accepts cards, then PCI DSS applies.

2. We don’t deal directly with consumers, so we’re not a target 

Sadly, criminals aren’t choosy about the nature of their customers. They could be consumers, other businesses, large corporations, multinationals, or even government departments. 

Nor are they choosy about the nature of your business. They don’t care whether you’re a retailer, non-profit organization, charity, educational institution, or government agency.

Card data is card data. Criminals can sell stolen data on underground forums. They can use it themselves to create fake cards to withdraw cash from ATMs. Or buy things to sell for profit.

Generally, if data has value to you or your customers. Then, you can almost guarantee it has value to criminals, too, so protect it.

3. We don’t sell online, PCI DSS doesn’t apply to us 

PCI DSS applies to all businesses that accept cards, regardless of how they trade.

Believe us, criminals have tried and trusted ways of attacking all sales channels. Whether it’s SQL injection or man-in-the-middle attacks in e-commerce. Or terminal swap-out fraud in physical stores. Their greed for card data is matched only by their cunning.

[LEARN MORE] Three things you need to know about PCI DSS v4.0

4. We’re able to store any data we want, and our customers consent to this 

A variation of this myth is that card schemes, PCI or some external organization is making businesses store cardholder data. The reverse is true.

Businesses don’t own customer card data. Card schemes and the PCI SSC, the body that administers PCI DSS, strongly discourage the storing of sensitive cardholder data. 

There’s no good reason for you to store data from a card’s magnetic stripe or chip. But if your business bills customers regularly or refunds customers’ cards and retains card numbers and expiry dates to do so, protect this data. This is where encryption and/or tokenization technologies come into play. 

In summary, if you don’t need it, don’t store it. If you do, protect it.

5. We don’t work in the IT department, PCI DSS is not my job 

The truth of the matter is that data security is everyone’s job. Just as adhering to HR policies and brand usage guidelines is everyone’s job, no matter where they work in an organization.

The IT department may lead on certain technical and operational aspects of PCI DSS, but it’s a business-wide responsibility. 

Firstly, because how your business stores, processes, or transmits card data touches almost every aspect of the customer journey. Everything from how you receive orders and issue refunds to how you identify new versus repeat customers.

Secondly, because 37% of retail sector data breaches involved payment data. And 100% of data breaches had a financial motive, according to a recent Verizon report. The impact of a data security breach is financial and reputational, which affects your business as a whole.

6. We’re compliant with PCI DSS, we’re secure 

Variations of this myth are that our business is PCI DSS-compliant, so it’s protected from hackers or ‘hacker-proof’.

Point-in-time compliance doesn’t guarantee ongoing security. To prove this point, only 29% of companies were still PCI DSS-compliant less than a year after validation, a Verizon report showed. That’s quite simply because security is not a one-and-done activity, but more a continuous process. 

Anything can change in your business, that of a trusted partner or third party, in the market or even with the PCI DSS standard. Remaining secure requires ongoing vigilance. And the right people, processes, and technology to back this up.

7. We’ve completed a PCI DSS Self-Assessment Questionnaire (SAQ), and we’re compliant 

SAQs, vulnerability scans, pen tests, and so on are merely tools. Your PCI DSS scope and what you must do to evidence compliance depends on your business and how you accept card payments. 

It also changes over time. Any self-assessment, scan, or test is only a snapshot of when it was completed.

It’s also a myth to think that your business is compliant if it meets most criteria. That’s like thinking that you’re mostly pregnant. Either you are, or you’re not. There’s no mid-point.

8. We’ve taken out cyber insurance, and we’re protected

Taking our cyber insurance merely helps your business cover some of the costs of a cyber incident or breach. This includes paying for investigators, communication, and legal experts, plus the costs of notifying and refunding customers affected. It won’t necessarily protect your business from a data breach. Or make it PCI DSS-compliant or secure.

Your card acquirer or payment service provider will still hold you responsible if you suffer a card data breach. Or are found to be non-compliant with PCI DSS. They could fine you or terminate your card acceptance. You can’t transfer this risk through the purchase of insurance.

9. We’ve outsourced card processing, we’re protected 

It probably won’t surprise you at this stage, but PCI DSS compliance is not as simple as that. Outsourcing card processing doesn’t automatically make a business secure or compliant. 

You must consider how your business secures card data throughout the customer relationship. This includes processing refunds, reversals, and chargebacks. You must also do due diligence on outsourcing partners and their PCI status to ensure they’re compliant. 

Finally, be warned. While your business can outsource the responsibility for performing a task, you can’t outsource the liability, if things go wrong.

10. We already work with a number of security vendors, so we’re protected

There are no silver bullets in security. Working with too many vendors and products can be as bad as working with too few if they’re the wrong ones.

So, understand the types of vendors you’re working with and the services they provide. Are they terminal vendors, hosting providers, software-as-a-service vendors, or resellers?

Ensure they’ve taken appropriate steps to protect card data. The general areas to quiz them on include the security of their product or service, how and where it’s installed, whether they provide ongoing support and maintenance, and what happens if there’s a data breach.

Conclusion

Twelve high-level PCI DSS requirements and hundreds of sub-requirements over nearly 20 years can create many myths, misconceptions, and misunderstandings. Unsurprisingly, businesses struggle to understand how they can best secure card data and become PCI DSS compliant.

Jscrambler goes one step further than the new requirements and can be configured to automatically block all attempts to skim cardholder data from e-commerce transactions.

[LEARN MORE] Free tool to comply with PCI DSS v4.0 by Jscrambler

Jscrambler's free PCI DSS 4.0 compliance tool helps Merchants achieve compliance with requirements 6.4.3 and 11.6.1 of PCD DSS v4.0 and QSAs to validate compliance.