The Payment Card Industry Data Security Standard (PCI DSS) exists to help keep sensitive financial information safe from theft, hacking, and other security threats. Since all merchants that process, transmit, or store cardholder data must be compliant, it’s surprising how many misconceptions and myths there are about the standard. Here they look at the most common misconceptions, set the record straight, and provide a handy guide to becoming – and staying – compliant.
I’m not an e-commerce business, so it’s not relevant to me.
Wrong! Even if you store, process and transmit cardholder information through in-store point-of-sale (POS) systems, standalone terminals or virtual terminals, you need to be compliant.
My business is too small to worry about PCI compliance.
Compliance does not depend on the size of a merchant’s business. This is a common and potentially costly mistake that many small businesses owners make. Whether you take just one credit card every year, or thousands, you need to follow PCI regulations.
We follow most of the criteria, that’s enough, right?
This is another common misconception. To be compliant, merchants must meet all PCI requirements – even the ones that don’t seem relevant. Failing to meet even one standard puts customer information at risk. According to research by SecurityMetrics, merchants who experienced data compromises were not compliant with 47% or more of PCI DSS requirements.
Does PCI mean I have to store cardholder data?
The PCI discourages merchants and processors from storing such data. If you have a legitimate business reason to store any information on the front of a payment card, such as a customer’s name or account number, PCI DSS requires that you encrypt that data.
My card processing is outsourced, so I must be compliant.
Outsourcing payment processing is not a guarantee of compliance, and merchants still need to follow procedures for handling transactions and data, as well as ensure payment terminals and applications comply with PCI regulations. If in doubt, ask for a certificate of compliance from your payment processing provider.
The whole thing is too complicated.
We can’t entirely bust this particular myth; following the 12 PCI DSS requirements can be daunting, particularly for smaller enterprises which often lack time and resources. The best way to simplify PCI compliance is to partner with a trustworthy provider of products and services that help meet the requirements of compliance. Partnering with Evolve means benefitting from Evolve’s platinum partnership with Mako, which has the world’s only PCI level 1 compliant SD-WAN device.
So, we’re not compliant – what’s the worst that can happen?
Once security has been compromised, it’s incredibly difficult to regain customer trust, especially when it comes to sensitive payment information. The Forbes Insight report found 46% of surveyed companies had suffered reputational damage following a data breach.
If that doesn’t deter you, then you might take notice of the financial implications, as non-compliant merchants can be fined by their acquiring bank, prevented from taking card payments and even lose its merchant status. On top of these penalties, merchants that suffer a data breach can be forced to compensate affected customers. In fact, the average global cost of a data breach reached $4.35 million globally in 2022, an all-time high and up 2.6% from the previous year.
Hopefully we’ve convinced you just how important PCI compliance is, but how do you actually go about it?
Step 1: Calculate the number of transactions you process annually, then compare it to the requirements of each credit card company you plan to support.
Step 2: Map the flow of cardholder data, including apps, systems and people who work with credit card data. Make sure to include all credit payment platforms and storage systems that hold card data.
Step3: Fill out the Self-Assessment Questionnaire (SAQ), a tool used to validate PCI compliance, which checks if your business meets each of the 12 requirements. Remember, the experts at Evolve are on hand to help.
Step 4: Fill out the Attestation of Compliance (AOC), which differs according to the PCI compliance level of your business.
Step 5: Conduct a vulnerability scan to make sure you meet all standards.
Step 6: Submit relevant documents, such as AOC and SAQ, to banks, credit card companies, etc.
Crucially, you need to monitor compliance on a regular basis throughout the year. Becoming and remaining PCI compliant requires continual audits and precautions to make sure cardholder data is always protected from data breaches.
For merchants to survive and thrive in what are very challenging times, it’s vital they remain PCI compliant. We provide customised solutions with PCI Level 1 certification for payment security as Mako Network’s only platinum partner – the only network management company in the world to qualify as a PCI-certified Level 1 service provider.
If you’d like to know more, or would like to talk about how Evolve can help you with compliance, get in touch with the team today on 0333 207 0364 or visit Evolve’s website
About Evolve Business Group and Evolve
Evolve Business Group is an independently owned company that specialises in providing end-to-end IT and managed network solutions to a range of businesses. Evolve is helping businesses to reduce costs and simplify the management of services and give business owners and their teams more time to do what they do best.
Founded in 2005, it has worked with a variety of clients across different industries around the world, building a team of highly experienced specialists to help create effective and efficient packages using any combination of different offerings. It keeps a range of cross-sector networks protected and connected.