Myth (1): Being a small merchant you need to take only a handful of cards rather than need a PCI
Fact: These a basic misquote that small merchant don’t need to be compliant especially those who handle one or few credit cards a year. Chiefly these merchant actually need Tobe compliant provided they are set to take a credit card by any mechanism.
Myth (2): E-commerce is the only sector where PCI applies.
Facts: PCI applies to very company that transmits, stores and process cardholder’s information. Additionally every one who takes a credit card for POS device is at a bigger risk than e-commerce solutions.
Myth (3): To be a PCI compliant you have to have majority criteria.
Fact: Generally to be a PCI compliant one has to have 100% pass mark. Less from that with even one criteria one doesn’t qualify Tobe a PCI compliance.
Myth (4): By protecting my credit card data I will automatically have handled required data without ATM debit card.
Facts: Chiefly, both are required, importantly the debit card serves double purpose by the possibility of being used on credit and debit card networks. Precisely debit card must be protected since they are covered by PCI in the same way as Credit cards.
Myth (5): To become a PCI compliance I need to wait until my business grows.
Facts: Not advisable, the truth is the PCI compliance is applicable to all sizes of businesses, additionally failure to comply there some fines and compensation required by the banks for one to face. These are mostly $50 to $90 for every card replacement.
Myth (6): It is right to agree to all Self-Assessment questionnaires.
Facts: first, agreeing to all SAQ questions is putting your business at a great risk mostly if there is no actual facts. Additionally since SAQ is a way of acquiring data about the level of compliance to your merchant bank. Beside that is a compromise tool place and you weren’t a compliance that would be a very serious case.
Math (7): Waiting until my bank asks me to become a compliant is the safest choice.
Facts: In present time, waiting for the bank encourage you to sign for compliance is very costly. Most importantly the dates of becoming a PCI compliant are far gone.
Myth (8): Having not signed anything saying am a compliance, now that am a merchant doesn’t demand for a need to a compliance.
Facts: Generally being capable to store, transit and process credit cards. That adds chances that apply for any to be a compliance. Basically the bank doesn’t have to indicate that you signed for compliance, additionally by opening an account you get set for all lined rules and regulations for PCI standards for compliance.
Myth (9): Storing any data is signed to every merchant.
Facts: This is not possible because merchants are not entitled to the data of the customer. Beside that they don’t own the customers. Additionally by doing so this is violation of state and Federal legislation privacy. The PCI regulation does allow storing of data of the following form: Pin blocks, Pin numbers, CVV or CVV2, Unencrypted credit card number and lastly Track 1 or 2 data.
Myth (10): What makes us compliant is just a single vendor and product.
Facts: Not a single vendor can handle the minimal full addresses requirement for PCI DSS which is 12. Additionally if a one product is focused during marketing one May thing its capability present all other product, whereas the resulting perception should be focusing on the big picture.
Myth (11): What makes us compliance is processing cards.
Facts: Chiefly what makes a compliance is the facts it involve the following, policies and procedures for cardholders transactions and data processing. To precise outsourcing just simplifies payment card processing but does not provide automatic compliance.
Myth (12): One IT project is PCI Compliance.
Facts: Importantly is to realize that PCI compliance is more than a project but rather an ongoing process of assessment, remediation and reporting. Additionally it is a business issue that is best addressed by multi-disciplinary team. Even though the whole compliance to the payment brands program (PCI-related system) comprise of IT staff who implements technical and operational aspects.
Myth (14): What will achieve Security for us is PCI.
Facts: Security is adversed every day and improvements are nonstop hence it gets stronger every day. Additionally since PCI compliance efforts are continuously under process of assessment and remediation that alone ensures safety of cardholder data.
Myth (15): Since PCI requires too much, that makes it unreasonable.
Facts: Generally these all is for the best for securing sensitive information since it ensures there is standard and significant details that are captured for thee merchants and processors. Importantly these leave them with no wonder of what there for then or the next step. Precisely the reasonable aspects is to give options using compensations controls to meet some requirements.
Myth (16): A Qualified Security Assessor (QSA) is basic requirement by PCI
Facts: organization do need QSA to glean their specialized values for on-site security assessment required by PCI DSS. What happens is that the QSA get the privilege to get approval for compensating control. Which basically means that PCI DSS ca provide the option of doing internal assessment with an officer sign-off if your acquirer and/or merchant bank agrees. Additionally for mid-sized and smaller merchants may use the SQA found on the PCI SSC platform and proceed with assessing themselves.
Myth (17): PCI is too easy.
Facts: No its not, actually getting to understand and implement 12 requirements of PCI DSS can seem overwhelming, especially for merchants without large IT department and Security. Beside that all that PCI DSS call for is good basic security. Importantly all that is needed by any business is to provide security to sensitive data and continuity of operation which are ruled in PCI hence makes it count every step.
Myth (18): What makes us store cardholder is PCI
Fact: Missed point is that merchant and processor have nothing to do with storage of cardholders. Actually these activity is highly discouraged by both PCI DSS and the payment card brands.these would never be allowed since it could need encryption of data to effect unreadability of data so as to secure sensitive information.