Apr 28 2009

PCI DSS Misconceptions and Facts

Category: pci dssDISC @ 7:13 pm

Information Security Wordle: PCI Data Security...

M1 – We are relatively small company so we don’t have to worry about PCI compliance
F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

M2 – PCI DSS is either a regulation or a standard
F2 – Itβ€˜s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

M3 – We neither understand PCI and nor have in house expertise to address compliance
F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

M4 – PCI has no ROI and simply too much for a small business
F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

M5 – Why bother when some companies get breached even though they were compliant
F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

M7 – My application and POS equipment are PCI compliant
F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

M8 – PCI compliance addresses the security of the whole organization
F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

M9 – Data breach will not affect the business revenue
F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

M10 – We don’t need to scan PCI assets
F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

M11 – Merchants can use any application to transmit, process and store PCI data
F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

M12 – We have compensating control in place so we are covered
F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run











Documentation Compliance Toolkit



PCI Compliance



Practical guide to implementation (Soft Cover)



Practical guide to implementation (Download)



Reblog this post [with Zemanta]

Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security