PCI Compliance: The Biggest Myths Explained

The Payment Card Industry’s Data Security Standards (PCI DSS) were established to secure cardholder data that is stored, processed, and transmitted by merchants and processors. PCI DSS includes 12 requirements that represent the best practices for safeguarding sensitive card information.

Get the print version
Read the full white paper anytime and anywhere.

PCI compliance is required for any organization that handles card data. Because these PCI requirements are so extensive, it can seem like a daunting task to become fully compliant. And, to add complication to an already arduous process, the payments space is riddled with many misconceptions regarding PCI standards and what it means to be compliant. It may be tempting for many merchants to only address the standards that seem to make the most sense for their business—or to do just enough to make sure they are covered in the major areas because they believe breaches are unlikely to happen. In some cases, merchants may decide to dismiss the process altogether.

However, failing to comply with PCI standards exposes businesses to a loss of customer trust, hefty fines from credit card companies, financial damages due to data breaches, and potential lawsuits.
Unfortunately, even with these consequences hanging over merchant’s heads, very few companies completely follow PCI requirements. According to Verizon’s 2020 Payment Security Report, less than 28% of businesses were 100% PCI DSS compliant in 2019. As a result, these merchants are leaving their transactions, customers, and businesses vulnerable to attacks.

This white paper explains the most common myths that merchants have about PCI compliance and provides solutions to enable them to build up their defenses against data breaches.

12 Common PCI Compliance Myths

Merchants often struggle to understand the ins and outs of PCI compliance. There is false information floating around among retailers, especially smaller merchants, and many unknowingly believe in these falsehoods. Below are twelve PCI compliance myths and their truths.
These explanations of PCI requirements can help merchants better secure cardholder data and ensure they are compliant.

1. PCI Is Only For E-Commerce Businesses

Many merchants believe they only need to follow PCI regulations if they sell products online. However, this is not true. PCI applies to all businesses that store, process, and transmit cardholder information—whether it be through an in-store point-of-sale (POS) system, standalone terminal, virtual terminal, or e-commerce platform.

An important consideration for in-store merchants is that POS devices sometimes require storing track data with transactions. This process is against PCI DSS and could bring heavy fines against the merchant from the banks involved. Therefore, all retailers will need to carefully choose their POS devices, payment gateways, and vendors to fully comply with PCI.

2. Small Merchants Don’t Need To Be Compliant

Owners of small businesses often dismiss PCI because they are only handling a few credit cards per year. They’ve been told or believe they are exempt from compliance for this reason. However, whether they take just one credit card or thousands per year, they need to follow PCI regulations. Compliance is not dependent on the size of a merchant’s business.

3. Small Businesses Don’t Need To Worry About PCI Until Their Business Grows

On the contrary, PCI compliance is particularly important for small businesses. This is because malicious actors often target smaller businesses who are likely to have weaker data security than larger businesses.

No matter the business’s size, they must be compliant so long as they handle sensitive card data. Thus, as soon as a business opens its doors (or launches its e-commerce website), the owner should be knowledgeable on PCI requirements and ensure they are following all guidelines for compliance.

4. A Business Is Compliant If It Follows The Majority Of Criteria

Many merchants hold this common belief, but it is incorrect and exposes them to security breaches.
According to SecurityMetrics,2 merchants who experienced data compromises were not compliant with 47% or more of PCI DSS requirements.

If a business fails on just one of the criteria, then it is not compliant. To be compliant, the business must meet all requirements. It’s not about picking and choosing the standards that seem to make the most sense for a business. Nor is it about making sure the company is covered in what they believe to be the major areas. This is not the case.

When a retailer fails to meet even one standard, they put their customers’ information at risk.
Additionally, it’s important to realize that full PCI compliance is the minimum standard required to help merchants protect cardholder information—even if a company is 100% PCI compliant, they could still put additional measures in place to be more secure.

5. Merchants Don’t Sign Anything Agreeing To PCI Compliance, So They Don’t Need To Be

When opening a processing account with a bank, the merchant does in fact agree to adhere to the card brand’s requirements, which include PCI DSS.

6. Merchants Can Store Any Data They Want

Contrary to popular belief among merchants, they do not own customer data. Therefore, they do not have the right to access or store any information they want to support their business. PCI forbids merchants from storing unencrypted credit card numbers, CVVs or CVV2s, pin blocks, PINs, and track 1 or 2 data. If any of this data is found in a retailer’s database, log files, or audit trails, they could face severe repercussions.

7. PCI Requires Merchants To Store Cardholder Data

PCI does not require merchants to store cardholder information. In fact, they discourage merchants and processors from storing this data. It’s illegal to keep data from the magnetic stripe on the back of the credit card. If the merchant has a business reason to store the information on the front of the card, such as the customer’s name or account number, they are required by PCI DSS to encrypt that data.

8. Outsourcing Card Processing Makes A Business Compliant

Simply outsourcing payment processing does not ensure that the business is fully compliant. The merchant will still need to follow procedures for handling transactions and data. They will also need to ensure that their payment terminals and applications comply with PCI regulations. Most importantly, the merchant should ensure that cardholder data is encrypted and stored sensitively. To make sure payment processes are compliant, the retailer should request a certificate of compliance from the payment processing provider on an annual basis.

9. PCI Compliance Is The Responsibility Of It

While the IT department handles the technical aspect of payment systems, security risks affect a business’s reputation and finances—which means that the whole organization is affected by PCI compliance or non-compliance. Therefore, it’s recommended that the company establish a multi-disciplinary team to handle policies and procedures related to securing the payment process flow.

10. PCI Compliance Alone Will Make A Business Secure

As mentioned earlier, being PCI compliant is a baseline for security. Completing a system scan and assessment for PCI only ensures compliance at one moment in time. Business processes and the IT infrastructure that supports it can change, along with the standards for PCI—leaving a business open to a security breach. This is why compliance efforts need to be continuous and why additional security measures may be necessary for an organization.

11. PCI Compliance Is Impossibly Complicated

Following the 12 PCI DSS requirements can seem like an enormous undertaking, especially for small businesses with no dedicated IT staff. Fortunately, there are options for simplifying PCI compliance.
Merchants can partner with trustworthy providers of products and services that help meet the requirements of compliance. Additionally, they can make compliance a part of their ongoing business plan and budget so that they’re always prepared to meet regulations and handle issues.

12. PCI Compliance Is Too Expensive

Oftentimes when a merchant complains about PCI compliance being too hard, they mean it is too expensive. Although it’s true that abiding by the regulations is not cheap, the costs of non-compliance (e.g., fines, legal fees, lost business) far exceed the costs of implementing PCI DSS.

Ways To Ensure PCI Compliance

Becoming and remaining PCI compliant requires continual audits and precautions to ensure cardholder data is protected from data breaches.
Unfortunately, only 25-30% of businesses make compliance a priority after the first year of becoming PCI DSS compliant. Other companies become complacent, leaving their operations vulnerable to security breaches.

To save money in the long run and protect against attackers, merchants should avoid negligence and mistakes related to compliance by implementing the following strategies:

Document Significant Changes

All too often, businesses fail to document significant changes simply because PCI regulations leave it up to the organization to determine what should be deemed a significant change. For this reason, it can be hard to make sure all significant changes are documented. This is especially true for small companies without a dedicated team for ensuring compliance.

To avoid the mistake of not documenting changes, an organization should define what constitutes a “significant change” within their policy so that everyone involved will know what changes to track. Some of the most common significant changes include security redesigns, architectural changes, product upgrades, and changes to encryption keys.

In addition to defining what a significant change would be for your organization, you should also set up a process to run a penetration test any time one of these changes occurs to ensure there are no holes in your security.

Install File-Integrity Monitoring Software

Using file-integrity monitoring (FIM) software is a PCI DSS compliance mandate.
This tool can alert merchants to changes in existing log data and monitor files and folders. As a result, businesses will be able to act quickly when missing elements and unplanned changes have been identified.

Even though FIM software is required, many businesses neglect to utilize this tool to check their payment processing system. However, this leaves them vulnerable to attacks, especially by malware designed to appear like an original driver file. It’s vital to have controls, policies, and procedures in place to take action immediately.

Determine Your PCI Scope

Ensure your organization is compliant by identifying and reducing your compliance scope. A smaller PCI scope means you’ll have fewer touchpoints in your organization that handle cardholder data.

One practical way to reduce your PCI scope is by implementing a PCI-validated point-to-point encryption (P2PE) system. P2PE solutions encrypt card data during every step of the payment processing cycle, which guides your business one step closer to PCI compliance.

In addition to a P2PE system, you’ll ultimately need to examine the people, processes, systems, and technologies that interact with sensitive payment information. By understanding these elements and how they come into contact with this data, you’ll be able to assess your PCI scope and set up the relevant security measures to ensure compliance.

Manage Cryptographic Keys

Cryptographic keys, or encrypted cardholder information, should be properly managed so they are not inappropriately stored, misused, or reused. Businesses need to keep an inventory of keys, processes for key expiry and revocation, and key split/dual controls. This will help mitigate insider threats from mismanaged keys.

Perform Annual Audits

PCI compliance audits are not just a consequence handed down by credit card companies or banks due to a data breach. Merchants should be performing these audits at least once a year to make sure there are no holes in the payment system. Many times, organizations try to do the bare minimum for the sake of documentation, and they perform the audits themselves. However, this often leads to missed flaws in the system. Therefore, it’s recommended that they work with external professionals to avoid non-compliance issues.

Evolving PCI Standards

Debunking these common PCI myths and ensuring best practices for payment security is only the beginning. Subject to change at any time, PCI compliance should be viewed as an ongoing process along with internal IT audits. Just because you are compliant now does not mean you will remain that way. As PCI compliance and guidelines change and grow, merchants will need to constantly review their adherence to the requirements. You’ll be in the best position to deal with inevitable changes if you continuously monitor processes, people, and technology and compare them to PCI mandates.

Simplify PCI Compliance With Cardknox

Organizations can simplify the process of PCI compliance by partnering with third-party payment companies who are well-versed in PCI DSS compliance. Cardknox is a leading provider of hassle-free payment gateway integration solutions that protect cardholder data. As a Cardknox client, you’ll reap the benefits of our 20+ years of industry experience and cutting-edge security solutions that reduce your PCI scope:

P2PE Encryption

P2PE is the Payment Card Industry’s encryption solution to ensure that payment card data remains secure from the beginning to the end of the transaction process. It uses complex algorithms to encrypt card information as it moves from the POS system to the issuing bank for verification. Cardknox supports a wide range of P2PE encrypted terminals so that businesses can keep customer data safe while processing payments through physical payment terminals.

Tokenization

Cardknox’s tokenization technology replaces sensitive card data with randomly-generated tokens. This ensures that payment data is kept away from the merchant’s server, and it also allows for the safe storage of payment data. In the event that a hacker intercepts or steals the tokens, they will be worthless to them.

iFields

For e-commerce businesses, Cardknox offers iFields. This technology can be used when designing an online payment form in order to protect customer card data. Once iFields are implemented, submitted card data bypasses the merchant’s server and is sent directly to Cardknox, where the data is tokenized. The token is then returned to populate the payment field, and the newly-secure form data is sent to Cardknox for processing.

PaymentSITE

Merchants who are looking for an easy and secure way to accept payments online will be sure to benefit from PaymentSITE. Cardknox PaymentSITE is a hosted payment form that can be embedded into the business’s website or used as a standalone payment form. This customizable, mobile-friendly form uses tokenization technology and is PCI compliant.

Partner With Cardknox Today

PCI compliance is a central component of any merchant’s business operations. Maintaining compliance with PCI DSS is necessary in order to keep your processing account in good standing, establish trust and customer loyalty, avoid fines and fees, and prevent the fallout of a data breach.

Partnering with Cardknox can simplify PCI compliance. Contact our team today to learn more about our hassle-free payment integrations.

Get the print version
Read the full white paper anytime and anywhere.

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
ep201	30 minutes	This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
OptanonConsent	5 months 27 days	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_L91N7MKDFX	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_53045244_1	1 minute	Set by Google to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
handl_landing_page	1 month	Understand which page was the first webpage a user visited.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
pi_opt_in1055213	7 days	The cookie is used by SalesForce/Pardot to store privacy preferences.
utm_campaign	past	Google Ad Services sets this cookie to store session campaign value if present.
utm_content	past	This cookie is used for storing the session content value if present.
utm_source	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
utm_term	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
visitor_id*	past	Pardot sets this cookie to store a unique user ID.
visitor_id*-hash	past	Pardot sets this cookie to store a unique user ID.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
utm_medium	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.

Cookie	Duration	Description
__wpdm_client	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_splunk_rum_sid	15 minutes	No description
AnalyticsSyncHistory	1 month	No description
AWSALBTG	7 days	No description available.
AWSALBTGCORS	7 days	No description available.
email	past	No description available.
experiments-fingerprint	6 months	No description
experiments-raw	6 months	No description
gclid	past	Used by Google to track conversions,
handl_ip	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_url	1 month	No description available.
li_gc	5 months 27 days	No description
TESTCOOKIESENABLED	1 minute	Description is currently not available.
username	past	No description available.