Retailer Misconceptions About PCI Compliance
Regardless of the type of business you own, if you accept credit cards then you need to know about PCI compliance. You may have heard the term before and know that it’s important to your business but still have more questions than answers on the subject.
First of all, understand that you are not alone, and we can help. We have been in business for over 30 years, providing information, education and support with our PCI-compliant merchant account services. Throughout this time, the landscape has changed and evolved, but the importance of PCI compliance has never waned.
To be PCI compliant you must meet the Payment Card Industry Data Security Standard (PCI DSS) requirements for:
- Security management
- Network architecture
- Software design
- Other critical protective measures
PCI compliance is an ongoing process. Once you achieve compliance, you must continually strive to maintain it. Think of it in terms of three steps:
- Assess identifying cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.
- Remediate by correcting vulnerabilities and not storing cardholder data unless you need it.
- Report by compiling and submitting required remediation validation records (if applicable) and compliance reports to the merchant services provider and card brands you do business with.
The purpose of being PCI compliant is to take responsibility to help ensure that payment card data remains secure throughout every transaction your business processes. Without taking the necessary measures to protect critical sensitive data, you put your business and your customers at risk. If a data breach occurs it has the potential to damage and destroy your company’s reputation and financial fortitude that could ultimately put you out of business.
The impact it could have on your customers is equally devastating if their sensitive personal information and credit card data were stolen. Precautions must be taken to help protect your customers from fraud and identity theft. A victim’s losses may include not only out-of-pocket financial losses, but substantial additional financial and emotional costs associated with trying to restore one’s personal identity.
There are myths to consider surrounding PCI compliance, EMV® standards, the Cloud and best practices to ensure you are in compliance. Many companies struggle to understand PCI compliance requirements and often have many misconceptions about what it means to their business.
Merchants must now also consider EMV® or chip card technology. Since the October 2015 liability shift, merchants who have not switched over to an EMV terminal are now responsible for costs incurred from counterfeit card-present transactions that occur at their place of business.
However, there is a mistaken notion among retailers that EMV replaces PCI compliance—this is not the case. PCI compliance relates to the storage of payment card data and how it’s handled from an infrastructure security perspective. And though EMV does add an additional layer of security at the time a card transaction is processed, it does not encrypt the card data. EMV technology and PCI standards are best used in a layered fashion. So when upgrading to an EMV-certified terminal, consider adding point-to-point encryption (P2PE) to reduce your PCI scope and better protect sensitive cardholder information.
Another misconception about PCI compliance that many merchants still believe is that it just relates to the POS software itself. The requirements actually go beyond the software and the database structure.
Further misconceptions also exist amongst retailers about payment processing compliance in the Cloud. Retailers sometimes believe that if their credit card application is hosted someplace else and not physically stored on their servers, it would help reduce their risk or the requirement for PCI compliance. This is a myth because even if the application is hosted off-site someplace, it is still accessible from the merchant’s network.
Ultimately, PCI compliance is required from the moment you accept a credit card at the POS terminal. If applications are hosted in the Cloud or stored off-site, those facilities or locations will become part of the PCI compliance requirement, because they are accessible from the merchant’s network.
EMV is a registered trademark or trademark of EMVCo LLC in the United States and other countries..