Apr 28 2009

PCI DSS Misconceptions and Facts

Category: pci dssDISC @ 7:13 pm

Information Security Wordle: PCI Data Security...

M1 – We are relatively small company so we don’t have to worry about PCI compliance
F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

M2 – PCI DSS is either a regulation or a standard
F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

M3 – We neither understand PCI and nor have in house expertise to address compliance
F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

M4 – PCI has no ROI and simply too much for a small business
F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

M5 – Why bother when some companies get breached even though they were compliant
F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

M7 – My application and POS equipment are PCI compliant
F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

M8 – PCI compliance addresses the security of the whole organization
F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

M9 – Data breach will not affect the business revenue
F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

M10 – We don’t need to scan PCI assets
F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

M11 – Merchants can use any application to transmit, process and store PCI data
F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

M12 – We have compensating control in place so we are covered
F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run

Documentation Compliance Toolkit

PCI Compliance

Practical guide to implementation (Soft Cover)

Practical guide to implementation (Download)

Reblog this post [with Zemanta]

Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security

10 Responses to “PCI DSS Misconceptions and Facts”

  1. Payment Card Industry says:

    PCI is confusing for the average merchant. Hopefully the new tools coming online soon make it easier.

  2. somb775 says:

    This is new things to know. Thanks for sharing. I was not aware of this before I read you blog. Thanks…
    visit my site http://www.orchardbank.com.

  3. Element Payment Services says:

    Indeed, there is still a great need for education in regard to PCI compliance, as is evidenced by the common misconceptions outlined above.

    If you're interested in making PCI compliance slightly more entertaining while you learn, try our PCI Compliance Quiz Widget: http://www.elementps.com/pci-compliance-quiz/


  4. mlgreen8753 says:

    You said, “PCI has no ROI and simply too much for a small business”, but you never indicated what they have too much of (debt, competitors, etc). What ever it is, perhaps it can be resolved with a little more advertising using online methods like social media, Adwido, etc.

  5. Country says:

    Well you really don't have to worry about that. Thanks sharing interesting post like this. It is worth and appreciating to read.


  6. NetSpendcom says:

    Wow! Great Idea I will try it

  7. Yasshuja says:

    thts amazing

  8. Chase Merchant Processing says:

    MERCHANT BANK ACCOUNT – where should I set one up?
    I already have the site using CyberSource for the processing, but not sure what bank or service would be best to set up the merchant bank account…

    We're not talking about major traffic or $ amounts into the account (maybe a couple thousand $ pe rmonth and I will be writing checks out of the account too). I don't want to be locked into a contract or have too many upfront fees…. I've looked at Weels Fargo, and someone recommended Chase… I already bank with WAMU and HSBC… have been thinking of switching my checking to USAA…

    Your suggestions are much appreciated – thanks!!

  9. disc7 says:

    Ask for bank security policy which should include procedure like incident handling and privacy standards. Basically review these policies and procedures and vaidate if they fit your individual needs.

  10. Immigration solicitors says:

    Immigration Lawyers…

    […]just below, are some totally unrelated sites to ours, however, they are definitely worth checking out[…]…

Leave a Reply

You must be logged in to post a comment. Login now.