M1 – We are relatively small company so we don’t have to worry about PCI compliance
F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data
M2 – PCI DSS is either a regulation or a standard
F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants
M3 – We neither understand PCI and nor have in house expertise to address compliance
F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data
M4 – PCI has no ROI and simply too much for a small business
F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership
M5 – Why bother when some companies get breached even though they were compliant
F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it
M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank
M7 – My application and POS equipment are PCI compliant
F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment
M8 – PCI compliance addresses the security of the whole organization
F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security
M9 – Data breach will not affect the business revenue
F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines
M10 – We don’t need to scan PCI assets
F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)
M11 – Merchants can use any application to transmit, process and store PCI data
F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)
M12 – We have compensating control in place so we are covered Documentation Compliance Toolkit Practical guide to implementation (Soft Cover) Practical guide to implementation (Download)
F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run
May 11th, 2009 8:37 pm
PCI is confusing for the average merchant. Hopefully the new tools coming online soon make it easier.
June 8th, 2009 8:37 pm
This is new things to know. Thanks for sharing. I was not aware of this before I read you blog. Thanks…
visit my site http://www.orchardbank.com.
July 28th, 2009 6:42 pm
Indeed, there is still a great need for education in regard to PCI compliance, as is evidenced by the common misconceptions outlined above.
If you're interested in making PCI compliance slightly more entertaining while you learn, try our PCI Compliance Quiz Widget: http://www.elementps.com/pci-compliance-quiz/
Enjoy!
August 23rd, 2009 2:45 pm
You said, “PCI has no ROI and simply too much for a small business”, but you never indicated what they have too much of (debt, competitors, etc). What ever it is, perhaps it can be resolved with a little more advertising using online methods like social media, Adwido, etc.
August 28th, 2009 9:07 pm
Well you really don't have to worry about that. Thanks sharing interesting post like this. It is worth and appreciating to read.
– Country –
November 29th, 2009 1:18 am
Wow! Great Idea I will try it
July 6th, 2010 8:15 am
thts amazing
August 26th, 2010 1:11 am
MERCHANT BANK ACCOUNT – where should I set one up?
I already have the site using CyberSource for the processing, but not sure what bank or service would be best to set up the merchant bank account…
We're not talking about major traffic or $ amounts into the account (maybe a couple thousand $ pe rmonth and I will be writing checks out of the account too). I don't want to be locked into a contract or have too many upfront fees…. I've looked at Weels Fargo, and someone recommended Chase… I already bank with WAMU and HSBC… have been thinking of switching my checking to USAA…
Your suggestions are much appreciated – thanks!!
August 26th, 2010 4:52 pm
Ask for bank security policy which should include procedure like incident handling and privacy standards. Basically review these policies and procedures and vaidate if they fit your individual needs.
March 30th, 2011 1:12 pm
Immigration Lawyers…
[…]just below, are some totally unrelated sites to ours, however, they are definitely worth checking out[…]…