My Merchant Account Blog

PCI Myths

Thursday, December 11, 2008

Now that we have talked about PCI Compliance and the six cores:

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

Let us look at a few myths.  These myths could cost you thousands of dollars in fines.

Hackers Only Target Large Companies

Some merchants might think that breaches only happen to the large corporations.  Part of this is true - breaches do happen to large corporations, but smaller merchants are just as vulnerable.  If you have a shopping cart and the code is not kept up-to-date, this could leave you wide open for a data compromise.  If you are storing any cardholder data (the primary account number along with the cardholder's name or expiration date), you need to be PCI compliant.

Processing is Done on the Gateway (or Third Party)

The transaction is done on the electronic payment gateway's secure website or third party processor (3PP) / Internet Payment Service Provider (IPSP) and they are PCI compliant.  This does not mean you are compliant or exempt.  PCI Compliancy is an ongoing process.  The PCI DSS requirements and security assessment procedures include the data security, physical security, and your security policies.

For example, the CISP Compliant list from Visa (3 May 2007), shows that Google Checkout was late in reporting their compliancy to Visa.  And on the 15 Jul 07 CISP Compliant list, Google Checkout was removed because they were over 90 days to file their report.  On the 15 Nov 08 Visa CISP Compliant list, Google Checkout is listed

The Shopping Cart and Hosting Company are PCI Compliant

The shopping cart and hosting company are just a part of being PCI Compliant.  As stated above, it covers your security policies and how you handle the transactions.  For example, your security policy should address how your employees handle cardholder data if an order is taken over the phone.

PCI Only Applies to the IT Department

Unfortunately, this is not the case.  In the example above, the employee handling the order on the telephone is in the sales department.  PCI Compliancy covers all individuals in your company that handle, process, store, or transmit the cardholder data.

We Only Handle Two Orders a Month

Breaches can happen to any company, no matter the size.  Since your company has access to cardholder data, you need to be PCI Compliant.

PCI Compliancy Is Too Much

While the guidelines seem intimidating, most of them are probably already being done by your company.  The guidelines help you with the specifics and an effective way to secure cardholder data.

We Are PCI Compliant

Just because you have completed the self-assessment questionnaire and had a company scan your website does not mean you are protected from breaches.  Compromises can still happen to a PCI Compliant merchant.

Comments

Name
URL
Email	Email address is not published
Access Code
Please enter the access code
Remember Me
Comments