PCI DSS Myths
Published December 2, 2024.
Myth: Only large companies required and can undergo PCI DSS certification
Fact: Incorrect. PCI DSS applies to all entities involved in payment card processing including merchants and other entities that store, process and/or transmit cardholder data. They all must comply with PCI DSS requirements. In fact, PCI DSS was developed to enhance the security of cardholder data, that is why any entity that holds cardholder data should comply with the standard. Non-compliance could mean high risk for these entities because when there is a security breach to cardholder data and they are not PCI compliant, they could be subjected to penalties such fine and other sanctions from banks and credit card processors. They may also be subject to lawsuits and/or governmental prosecution because of failing to protect customer data.
Myth: Using certified PCI DSS cloud (SaaS, PaaS, IaaS) which is certified, automatically becomes PCI Complaint
Fact: Incorrect, while many companies/merchants now use cloud services they still have to comply themselves with PCI DSS even though they use services from certified PCI-compliant providers. When you are using cloud services, you have to clearly define the responsibilities of your own and your cloud service provider to maintain the compliance to PCI DSS requirements. In order to do that, you should understand the details of the offered services. Your provider should clearly identify which requirements of PCI DSS are covered by its PCI compliance program and which ones are not. The provider then has to document those aspects of its service which are not covered and make an agreement with the client (i.e. your company) that those aspects are your responsibility to manage and assess.
Myth: Once achieve PCI DSS compliant, the next year you have nothing to do.
Fact: The achievement of PCI-compliant does not mean you have reached your final goals. You still need to maintain the policies, procedures, and good practices that are consistent with PCI DSS requirements. Moreover, validation of compliance should be performed annually. Beyond PCI DSS compliance, the standard was developed to protect cardholder data, then it is important that you implement all controls (such as policies and daily operational security procedures) that are consistent with PCI DSS requirements in your daily business activities. Only by continuously and consistently executing all these security controls including development and implementation of a security awareness program to make all relevant parties and personnel aware of the importance of cardholder data security, the objectives of PCI DSS can be achieved.
