3 Myths about PCI DSS


The potential scope of your compliant CardHolderData Environment (Known CDE) may seem dating. A small merchant or a big processor have different level about security processes, documentations or time to secure this area.

I have check lot of myths about PCI on my different experiences. In first, I will share with you 3 myths.

Don’t listen any IT manager, QSA or Board directors with this language : To hard for us, not necessary or easy for us we’re big and we have budget….

Myth 1 – One vendor and product will make us compliant

Many Vendor offer an array of software and services for PCI Compliance. At this day no single vendor or product, however, fully adresses all 12 Requirements.

Myth 2 – Outsourcing card processing make us compliant

Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder data when you receive it and process charge backs and refunds.

Myth 3 – PCI compliance is an IT Project

Big Big Error, it’s a poor view of PCI. The IT staff implements technical and operational aspects of PCI related systems, but compliance to the payment brand’s programs is much more than a project with a begining and a end.

It’s an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is the best addressed by a multi-disciplinary team. The Risks of compromise are financial and reputational, so they affect the whole entity.