Seven Common E-Commerce PCI Compliance Myths Explained

In Security by Bobby BoughtonLeave a Comment

ecommerceThere are so many e-Commerce PCI Myths floating around that it’s easy to find the subject confusing. Here’s the reality: If your business accepts credit cards, your transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS) – a set of standards that applies to any company that accepts, processes, stores or transmits credit card data. Whether your business is done online, at a physical location, or a combination of both, the PCI council is interested in how well you secure this data.

Compliance with the PCI DSS can seem complicated and confusing—however, it is absolutely essential to your company’s reputation to protect your customers’ data. The first rule of success in business is that your customers trust you – and that includes trusting you with their data.

The PCI Compliance Guide has identified a number of myths and misconceptions about PCI compliance for online businesses that we’ll look at a little more closely here.

Myth #1:  I’m a Small Merchant and Don’t Process Many Transactions, PCI DSS Doesn’t Apply to Me

You may have heard that the PCI doesn’t apply to small businesses that only process a handful of cards a year or are not yet big enough businesses for the PCI Security Standards Council (PCI SSC) to notice them. That’s a common misconception. While you may not be required to submit a compliance report to the PCI SSC, they suggest you use a Self-Assessment Questionnaire to determine if you are in compliance. If you have a security breach and are not in compliance, ignorance will not excuse you from the consequences.

Myth #2: If We Meet the Majority of the PCI Compliance Criteria We Are Fine

The PCI DSS is essentially the bare minimum that you should be doing to ensure the safety of your customers’ data. You need to meet 100 percent of the criteria to be in compliance.  Even then, full compliance does not necessarily mean your systems or data are secure. Just remember: should you fail a PCI audit, you could lose the ability to process any credit card transactions at all and this is something few businesses can survive, especially one heavily dependent on e-Commerce.

Myth #3: PCI Standards Only Apply to Credit Cards Not ATM/Debit Card Data

Since debit cards are often processed on credit card systems and are issued by the same banks and credit card providers, they fall under the rules of the PCI DSS.  The same protections exist for debit card information as credit card data.

Myth #4: As a Merchant, We Never Signed Anything About PCI Compliance, so it Doesn’t Apply to Us

When you applied for merchant status, whether it was through your bank, a third-party processor like PayPal or Square, or directly with a credit card service, you agreed to abide by the PCI standards. It is part of your contract.  Abiding by these standards means that it is your responsibility to be compliant if you wish to continue accepting payment by credit card. If you have set up a merchant account that allows you to receive payments this way, the PCI DSS applies to you and your business.

Myth #5: As a Merchant, We Are Allowed to Store Any Data We Want

Many companies believe that the customer has given them this information and therefore they have a right to store any and all data to help their business. Unfortunately, storing certain types of information violates the PCI DSS and may also be a violation of State and Federal privacy laws. The PCI regulations explicitly forbid storing of any of the following:

  • Unencrypted credit card number(s)
  • CVV or CVV2 – the 3- or 4-digit security code printed on the back of the card
  • Pin blocks
  • PIN numbers
  • Track 1 or 2 data – the information stored in the magnetic strip

Should an audit take place and any of these prohibited data are found in your databases, log files, audit trails, backups or other storage media, you will face serious consequences. If your system is identified as the place that a security breach has happened, causing the release of card users’ financial data, you will be subject to fines and can be held liable for losses that result from that. Additionally, you can be blacklisted by banks and credit card providers and cut off from doing business with them.

Myth #6: My Business is Safe; We Are Using Someone Else for All of Our Credit Card Processing

Many businesses wrongly believe that simply outsourcing card processing makes them compliant, which is one of the most common and most dangerous myths. While it may seem like the easiest way to avoid having to deal with all of this is to engage someone else to handle all of your e-commerce credit card processing, this is not the case. There are a few hidden pitfalls to avoid with this solution as well as some best practices to ensure that you are not at risk.

First and foremost, the PCI SSC considers it your responsibility to ensure that your payment card data transactions are secure from end-to-end. If you choose to outsource part or all of this to a third party, you need to be certain that their tools, processes, and platforms are also PCI compliant and secure.

Recent changes to the PCI DSS (v 3.22 issued April 28, 2016) require more frequent testing by service providers to ensure compliance and security.  Annual data segmentation testing will move from annually to every six months, and penetration testing for security reasons should occur frequently and regularly.  A good service provider should be able to provide you with both the results of vulnerability testing on the web application that you’re using and proof that they are PCI compliant.

It’s also relatively easy to slip out of compliance yourself if you assume that outsourcing card processing and data to third parties covers anything in addition to the services outlined in your contract. For instance, if you have a secure shopping cart and a process provider that is PCI compliant, but you are taking orders over the phone, which means someone is inputting the data into that system from your location. That would throw you back into the compliance loop, as processing payments over the phone is done over insecure communications lines and gives access to data to people outside of the service provider’s scope.

Among the challenges of staying in compliance is keeping sensitive data like PCI data segmented from other data. It is supposed to be. Your customer information that relates to credit card information isn’t meant to reside on the same server as any of your other data.

Trying to save money on the front end could end up costing you more than you hoped to save in the long run, especially if you are breached. The PCI Council has issued Payment Application DSS as well, and they are changing and updating those requirements as frequently as the PCI DSS. If you don’t choose a site host that understands real security and PCI compliance and uses tools that keep your payment data secure, you run the risk of having to redo your entire site.

Working with a PCI compliant data center and hosting provider who also maintains a high level of security and constant testing will ensure that you are less vulnerable. With increasing incidents of cyber-attacks specifically designed to acquire credit card data and resell it on the dark web, PCI-DSS compliance alone will not necessarily keep your data safe.

Myth #7: If We Set It Up Right the First Time, We’re Fine

The PCI DSS compliance requirements change over time. The most recent version issued in April 2016 was specifically updated to address the fact that this is not a one-time process or even an annual review, but an on-going one.

According to Troy Leach (CTO of PCI Security Council) Analysis of recent cardholder data breaches and PCI DSS compliance trends reveal that many organizations view PCI DSS compliance as an annual exercise and do not have processes in place to ensure that PCI DSS security controls are continuously enforced. The process of adhering to PCI DSS requirements is what is meant to be PCI compliant.

If your company doesn’t have the resources or personnel to build and maintain a completely PCI compliant system and to test and maintain it regularly, you are probably better off finding good partners with the proper tools and the resources to do this for you. But make sure that they, too, are constantly in a process of improving their own security.

These Are Only a Few of the Things to Consider…

As we mentioned at the beginning of this, PCI compliance is complex and often confusing.  With these 7 common myths, we’ve only scratched the surface.  If you gotten this far and are feeling like it is all a bit overwhelming—it may be time to hire some expert help.

Additional Resources on This Topic:

PCI Glossary of Terms and Definitions
Data Security: Why PCI DSS Alone Doesn’t Cut It
PCI SAQ 3.1: E-Commerce Options Explained
6 Popular E-Commerce PCI DSS Compliance Myths Explained

Photo Credit: Yeni İş Fikirleri via Compfight cc

This post was first published on OnRamp. 

With over a decade of experience in data center services, Bobby Boughton oversees the strategy, implementation and execution of OnRamp’s sales and business development for OnRamp’s growing, high security hosting, cloud computing and colocation services. Connect with Bobby Boughton on LinkedIn.

Leave a Comment