Retailer Misconceptions About PCI Compliance

Retailer Misconceptions about PCI Compliance

Regardless of the type of business you own, if you accept credit cards then you need to know about PCI compliance. You may have heard the term before and know that it’s important to your business but still have more questions than answers on the subject.

First of all, understand that you are not alone and we can help. TransFirst® has been in business since 1995, providing information, education and support with our PCI compliant merchant account services. In this time, the landscape has changed and evolved but the importance of PCI compliance has never waned.

To be PCI compliant you must meet the PCI DSS (Payment Card Industry Data Security Standard) requirements for:

  • Security management
  • Policies
  • Procedures
  • Network architecture
  • Software design
  • Other critical protective measures

 

PCI compliance is an ongoing process. Once you achieve compliance, you must continually strive to maintain it. Think of it in terms of three steps:

  1. Assess identifying cardholder data, take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data.
  2. Remediate by correcting vulnerabilities and not storing cardholder data unless you need it.
  3. Report by compiling and submitting required remediation validation records (if applicable) and compliance reports to the merchant services provider and card brands you do business with.

The purpose of being PCI compliant is to take responsibility to help ensure that payment card data remains secure throughout every transaction your business processes. Without the necessary measures taken to protect critical sensitive data you put your business and your customers at risk. If a data breach occurs it has the potential to damage and destroy your company’s reputation and financial fortitude that could ultimately put you out of business.

The impact it could have on your customers is equally devastating if their sensitive personal information and credit card data were stolen. Precautions must be taken to help protect your customers from fraud and identity theft resulting from personal data falling into criminal hands. A victim’s losses may include not only out-of-pocket financial losses, but substantial additional financial and emotional costs associated with trying to restore one’s personal finances and correcting erroneous information for which the criminal is responsible.

There are myths surrounding PCI compliance, emerging chip and PIN standards, the Cloud, and best practices for retailers to consider ensuring they are in compliance. Many companies struggle to understand PCI compliance requirements and often have many misconceptions about what it means to their business — especially since the recent announcements from Visa and MasterCard.

Chip and PIN technology will impact retailers by October 2015, when liability for a counterfeit card transaction that occurs at a merchant who has not switched over to a contact chip terminal will shift from the card issuer to the merchant services provider, who could then pass those costs along to the merchant through additional fees.

“The chip and PIN standard represents a liability shift. Ultimately what that means is that if there is a fraudulent transaction, and a credit card has not been processed using the chip and PIN requirement, then the retailer becomes liable for any of that fraud, where today the liability, based on the current standards, is with the bank,” says Randy Davidson, Senior Retail Industry Analyst at Tectura, worldwide provider of business consulting services.

Davidson addresses the mistaken notion that chip and PIN will replace PCI compliance: “That’s somewhat of a misconception that many people have, that chip and PIN is adding an additional level of security at the moment in time a card transaction is processed. But it doesn’t change the PCI requirement, and although they’re coupled together in some capacity, PCI compliance deals with the storage of credit card data or how it’s handled from an infrastructure security perspective. The chip and PIN technology adds just that additional level of security at the time of processing.”

A misconception about PCI compliance that many retailers still believe is that PCI compliance just relates to the POS software itself, although the requirements actually go beyond the software, and the database structure. There are also policies and processes that need to be put in place.

Misconceptions also exist amongst retailers about payment processing compliance in the Cloud. Retailers sometimes believe if their credit application was hosted someplace else and not stored on their servers, that it would help reduce the risk or the requirement for PCI. This is a myth because even if the application is hosted offsite someplace, it is still accessible from the merchant’s network.

Ultimately PCI compliance is required from the moment you accept or swipe the credit card at the point-of-sale terminal. If applications are hosted in the Cloud or stored off-site, those facilities or locations will become part of the PCI compliance requirement, because they are accessible from the merchant’s network.


Back

Sign Up Now Below

or call 888.845.9457
Do you accept credit cards?
Are you a U.S.-based business?
  • Your information is private and secure. We only accept U.S.-based businesses. We do not accept adult businesses
Over

200,000

satisfied merchants, partners and vendors
See What Others Are Saying

×

Chat with a Professional!

Your information is private
and secure.We only
accept U.S.-based
businesses. We do not
accept adult businesses.

© 2014 TransFirst. All Rights Reserved.

TransFirst, LLC is a registered ISO/MSP of:
Wells Fargo Bank, N.A., Walnut Creek, CA
Synovus Bank, Columbus, GA