The world of PCI DSS (Payment Card Industry Data Security Standard) compliance can seem complicated and confusing, especially when you’re new to it. Ensuring your customers’ data is securely protected from potential fraud and data breaches is a crucial task, but one which is riddled with myths and misunderstandings.
To help you get things straight, we thought we’d dispel a few of the most common confusions…
MYTH 1: “PCI compliance protects contact centres from hackers”
Compliance may assure the Payment Card Industry Security Standards Council (and your customers) that you’re doing everything within your power to protect against fraud and data breaches, but new threats are evolving every day.
As best practice becomes more advanced, so too do the techniques used by hackers to compromise systems and access payment data. PCI compliance is a stamp which demonstrates you are taking the appropriate level of precaution, but it does not automatically reduce risk or physically protect your contact centre from security threats.
MYTH 2: “Outsourcing card payments to a service provider covers all your PCI compliance bases”
You may think that outsourcing your card payment processing requirements to a hosted PCI service provider means that there’s no need for you to get involved in the nitty gritty of ensuring compliance. This is not the case.
Although this approach can make PCI compliance easier and more cost-effective, every organisation has ultimate responsibility for compliance and, in the case of a data breach, accountability will fall squarely on the shoulders and reputation of your business.
While third parties can effectively manage your PCI compliance needs, it’s still your job to ensure standards are being met and that your service provider signs an enforceable agreement acknowledging their responsibilities.
MYTH 3: “PCI compliance is for the IT guys to worry about”
PCI compliance goes a long way beyond the scope of your IT team. Although maintaining the technology required to protect your systems is essential – which is part of your IT team’s remit – the admin, quarterly reports and constant implementation of secure practices across your company is a much larger and broader task.
An effective PCI compliance strategy can only be implemented with the support and cooperation of the senior management team (preferably at C-level), compliance and administrative staff, contact centre managers, internal communication teams, frontline staff and any other teams with a vested interest.
MYTH 4: “You need to hire a Qualified Security Assessor (QSA) to be PCI compliant”
While many large companies do choose to create a role for an Internal Security Assessor (ISA), or will look to bring in an external QSA who can complete on-site security assessments, this is not compulsory and may be infeasible for SMEs.
In these cases, businesses may choose to conduct an internal assessment with officer sign off. Self-assessment questionnaires (SAQs) may also be completed if your organisation falls into a particular merchant level.
MYTH 5: “You don’t need to be PCI compliant if you process fewer than 20,000 transactions annually”
Whether you take one payment a year or 100 million, your customers and clients need to have their sensitive data and personal details protected. PCI compliance applies to any organisation which processes any number of card payment transactions via the major card schemes, either by phone or via ecommerce.
Failure to meet PCI DSS requirements can result in significant financial penalties.
Still not sure if you’ve got all your PCI facts straight? Would you like to learn more about smart PCI solutions that can descope your payment environment from certain PCI DSS requirements? We’re here to help. Contact our team of qualified payment security specialists today for further advice, guidance and support.