In the spirit of the Washington Posts’ regular column, “5 Myths,” here we “challenge everything you think you know” about PCI-DSS Compliance.
1. One vendor and product will make us compliant
While many vendors offer an array of services and software which target PCI-DSS, no single vendor or product fully addresses all 12 of the PCI-DSS v2.0 requirements. Marketing departments often position offerings in such a manner as to give the impression of a “silver bullet.” The PCI Security Standards Council warns against reliance on a single product or vendor and urges a security strategy that focuses on the big picture.
2. Outsourcing card processing makes us compliant
Outsourcing may simplify payment card processing but does not provide automatic compliance. PCI-DSS also calls for policies and procedures to safeguard cardholder transactions and data processing when you receive them — for example, chargebacks or refunds. You should request an annual certificate of compliance from the vendor to ensure that their applications and terminals are compliant.
3. PCI is too hard, requires too much effort
The 12 requirements can seem difficult to understand and implement to merchants without a dedicated IT department, however these requirements are basic steps for good security. The standard offers the alternative of compensating controls, if needed. The market is awash with many products and services to help merchants achieve compliance. Also consider that the cost of non-compliance can often be higher, including fines, legal fees, lost business and reputation.
4. PCI requires us to hire a Qualified Security Assessor (QSA)
PCI-DSS offers the option of doing a self-assessment with officer sign-off if your merchant bank agrees. Most large retailers prefer to hire a QSA because they have complex environments, and QSAs provide valuable expertise including the use of compensating controls.
5. PCI compliance will make us more secure
Security exploits are non-stop and an ever escalating war between the bad and good guys. Achieving PCI-DSS compliance, while certainly a “brick in the wall” of your security posture, is only a snapshot in time. “Eternal vigilance is the price of liberty,” said Wendell Phillips.