The Top 6 PCI Compliance Myths

PCI Myths


The Payment Card Industry Data Security Standard (PCI DSS) has been around for more than a decade, but that doesn’t mean there aren't plenty of compliance myths about data security still floating around infosec. Some of the most pervasive myths involve organizations thinking they don’t need to comply,  compliance is too difficult, believing compliance is not ongoing, and believing that compliance automatically ensures the security of their data. 


Myth 1: I'm Too Small to Worry About Compliance

One of the most universal myths about PCI DSS  is that many merchants believe they are too small or process too few transactions to worry about being PCI compliant. The truth is,  every organization is responsible for compliance if they process, store, or transmit cardholder data. Even if a single credit card transaction is processed every year, PCI compliance is still required.  Businesses using third-party processors are required to comply as well. 

There are four levels of PCI compliance in which merchants can be categorized.  The four levels include:

  • Level 1: Merchants processing over 6 million card transactions per year.
  • Level 2: Merchants processing 1 to 6 million transactions per year.
  • Level 3: Merchants handling 20,000 to 1 million transactions per year.
  • Level 4: Merchants handling fewer than 20,000 transactions per year.

See A Beginner's Guide to PCI Compliance Levels for more information.


Myth 2: I Don’t Have to Worry, We Outsource Compliance  

Many organizations—especially ones that don’t have the resources to achieve compliance on their own—can choose to outsource compliance measures to third-party firms. Although this is a viable solution for some organizations, it doesn’t shift all the onus for compliance to the third-party provider.

Ultimately, your organization is responsible for ensuring your own compliance, so you must still have measures in place to address security for when you receive credit card and cardholder data, and to prevent a data breach during card processing, such as when you issue a refund or chargeback.

Myth 3: Achieving Compliance is Complicated and Difficult

When looking at the 12 PCI requirements for the first time, it can seem overwhelming, especially if you haven't yet taken steps toward compliance, and don’t have the backing of a security department or help from IT to assist you with the technical requirements. That being said, compliance doesn't have to be overly complicated, and the best approach is to view compliance as a best practice for security that every organization should offer its clients or customers.

Even if there are not a  multitude of resources at your disposal, compliance is still attainable, and there are plenty of products, services, and tools out there that can help. It will require a financial investment, but the benefits of compliance far outweigh the fines, fees, loss of trust, and other consequences of a breach.

Myth 4: Compliance is not ongoing

Although PCI compliance isn't overly difficult, it’s not a one-and-done situation. As Roccor Grillo was quoted in BizTech, "PCI compliance is a point in time". Compliance requires ongoing security measures, risk assessments, and updates.

This is especially true if you used certain tools or vendors to achieve compliance because there isn't a single product out there that tackles all 12 requirements. A better approach is to thoroughly go over the 12 requirements and devise a comprehensive strategy to address them all.

Moreover, the council regularly publishes new versions of PCI, and each time this requires a review of your current strategy and updates to meet the new requirements.


Myth 5: I Don’t Have to Worry About Compliance Because IT Will Deal with It

Similarly, compliance with PCI can't just be passed off to the IT department with the hope they’ll deal with it, because true compliance is an organization-wide responsibility.

While IT can help implement technical requirements, policies must be put in place to mandate regular assessments and reporting, and these policies should also focus on employee training regarding safe practices when handling cardholder data. Technical safeguards, and the technology used to support the right behaviors and attitudes within an organization can help with policies. 


Myth 6: We're Compliant, So Our Data Is Secure

PCI includes a number of industry best practices for securing data, but compliance doesn’t necessarily guarantee your data is fully secure. For one thing, hackers and malicious parties are always coming up with new strategies to breach even the most secure networks, which is why PCI standards—and your compliance with them—are always evolving. To keep your data safe, it’s important to always be evaluating your efforts, searching for vulnerabilities, and taking steps to remediate problems.

PCI compliance and file integrity monitoring software is important in protecting cardholder data against attacks and breaches, but in order to be compliant, it’s important to fully understand the requirements of the standard. One crucial aspect of this is knowing the most common myths regarding PCI because these can lead you astray in your best efforts to achieve and maintain compliance.

To learn more about the 12 requirements for PCI compliance, download our PCI Compliance Checklist today.

Stay compliant with The Essential PCI Compliance Checklist.


Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".