There is a lot, a heck of a lot of mis information doing the rounds in regards to the PCI DSS.
We have put together some of the most common myths in relation to PCI compliance, below are a couple of myths doing the rounds, if you would like the full list then please use the contact page and we will email the full document to you.
Most of our transactions are online and therefore we do not take sufficient amounts of transactions over the phone to warrant compliance above level 4…..
The number of transactions conducted over the phone, internet and other applications are cumulative and therefore it is the total number of transactions that are relevant regardless as to where or how they have been processed. For example if an organisation takes less than 20,000 Visa/MasterCard transactions over the phone but process over 1 million via other means such as internet, tablet applications etc they must ensure they meet all the controls for level 2 compliance for phone calls as well as e commerce.
My organisation is buying/has bought PCI FAS approved equipment
Many organisations are investing high levels of capex into PCI DSS approved equipment to address the requirement to be approved, the issue with this is although it is useful to have PCI compliant hardware and software to meet certain requirements, the organisation still has to meet ALL of the controls in order to pass the audit which will in all certainty still be a complex, expensive and long-winded process.
Do organisations using third-party processors have to be PCI compliant?
Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI. You and or your organisation must ensure ALL controls are met and maintain.
I’m a small merchant who only takes a handful of cards, so I don’t need PCI.
This is a common misunderstanding, small merchants handling small numbers of transactions per year believe they are either exempt from compliance or believe they only need to be level self certified. If you are a merchant and are set up to take/process cards transactions by any mechanism – then you need to be complaint. In addition all transaction types count towards a cumulative total to determine what level of compliance a merchant or organisation needs to adhere to.
One vendor and product will make us compliant.
Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities and excludes positioning these with other requirements of PCI DSS, the resulting perception of a ‘silver bullet’ might lead some to believe that the point product provides ‘compliance’, when it’s really implementing just one or a few pieces of the standard. The PCI Security Standards Council urges merchants and processors to avoid focusing on point products for PCI security and compliance. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the ‘big picture’ related to the intent of PCI DSS requirements.