Top Myths About PCI Compliance

Being responsible for PCI DSS compliance is a huge responsibility.

With more and more opinion articles being published online, it’s easy to be misguided into believing information that could put your business’ reputation at high risk.

To help you avoid making these mistakes, we’ve uncovered the top 7 common myths about PCI compliance that you should ignore…

Myth 1: We only handle a small number of transactions, so we don’t need to be compliant

PCI DSS Compliance applies to anybody that will take or transfer cardholder information.

The size of your business, or the amount of transactions you handle, does not play a part in whether or not you must comply with PCI regulations. Nobody is exempt.

Myth 2: Outsourcing our processing makes us compliant

Although outsourcing can simplify the transaction process, it doesn’t mean that your business is automatically protected from risk.

You are responsible for ensuring your outsourcer complies with PCI regulations, as well as consulting your own policies and procedures to avoid any data being held onto when processing refunds, or charge backs internally.

Never become completely reliant on someone else to manage your PCI compliance.

Myth 3: I’m not an e-commerce company, so I don’t need to be PCI compliant

You’re not an e-commerce company, so you don’t think PCI DSS applies to your business? You’re putting your business at risk. In fact, card-present transactions are often seen as at higher risk of heavy fines or compensation payouts than e-commerce.

If your business processes or stores any sort of cardholder information, you must be PCI compliant.

Myth 4: I pass most of the PCI requirements, so that means I’m compliant

In order to be compliant with PCI, you must pass 100% of the requirements! Being compliant is a necessity, covering 100% of the standard requirements is just the starting point when it comes to protecting your business, and the data you handle.

Myth 5: I have a right to store data as a merchant

Just because someone has provided you with their credit card details in order to make a purchase, this doesn’t mean you are able to keep these details in order to benefit your business.

Not only would keeping unnecessary records of data breach PCI security, it would also potentially violate data protection laws in the UK.

According to PCI requirements, it is forbidden to store:

1. Unencrypted credit card numbers 
2. CVV or CVV2 
3. Pin blocks 
4. PIN numbers 
5. Track 1 or 2 data

With GDPR coming into play this year, it has never been more important to review the way you are handling and cleansing your data. Discover if you are asking the right questions when it comes to handling your data…

Myth 6: My bank will let me know when I’m not PCI compliant

The days of relying on notifications and date ranges for compliance are long gone. It is no longer viable to wait for your outsourcers, suppliers or bank to inform you of a problem.

Compliance is an ongoing procedure. One slip up could cost your business!

Myth 7: PCI is too difficult to manage

Staying on top of the 12 vital PCI compliance requirements can seem like a daunting task, especially if you’re a smaller business without a dedicated team. But it doesn’t have to be difficult.

If you feel that you’re struggling to keep on top of strict processes, procedures and monitoring, why not consider investing in cost-effective and PCI compliant card processing software?

Learn more about how cardassure can help eliminate the stresses of ensuring PCI compliance within your business, download our free brochure.