There are a lot of myths out there concerning PCI compliance. Many business owners don’t really understand what PCI compliance means or why it matters. It seems like just another requirement on an endless list of tasks – maybe even one you can ignore. We’ve heard all kinds of myths over the years – including the five big ones below. Don’t worry, we’re here to set the record straight.
Myth #1: My business is too small – I don’t need to be PCI compliant.
Sorry, PCI compliance doesn’t depend on the size of your business. Even if you only take one or two credit cards a year, you’re still responsible for handling that data in a secure and responsible way. We’ve also heard some people say that PCI compliance only applies to ecommerce businesses. Wrong again – even businesses that do 100% of their business via card-present transactions need to stay compliant.
Myth #2: I can just lie on the questionnaire, no one reads those things.
Eek! Definitely don’t believe this. It may be tempting to just click “yes” over and over again as you go through your periodic Self-Assessment Questionnaire, but that’s a mistake. If you do lie on the questionnaire and it’s later determined that you experienced a compliance breach (or were never compliant in the first place), you’re going to be in a whole lot of trouble. Take the questionnaire seriously and make sure to follow up on any deficiencies quickly. Your future self will thank you.
Myth #3: No worries! I bought this software so I’m totally covered.
While it can be tempting to rely on a third-party (like a software program or your credit card processor), you still bear some responsibility as a business owner. Even if your payment gateway (like Velox) keeps you out of scope of PCI compliance, you’re still responsible for making sure card data is handled securely when it’s in your possession. It’s also a good idea to request annual compliance certificates from your credit card processor or gateway provider, just to make sure everything is on the up and up.
Myth #4: PCI compliance only applies to credit card data.
PCI compliance applies to debit cards as well as credit cards. Most debit cards can be used on credit networks, which means you’re responsible for guarding that data by the same standards. As a reminder, you may not store the unencrypted credit card number, the CVV/CVV2 code, or the PIN number for any credit or debit cards. Don’t forget to dig below the surface to make sure this information isn’t being stored in a database or system backup as these would also be violations of PCI compliance.
Myth #5: PCI compliance is IMPOSSIBLE! No one can keep up with all these requirements!
PCI compliance seems complicated, but it’s really not. For starters, most of the 12 PCI requirements are simply good business practices for securing data. If you are a conscientious business owner who makes smart decisions, you are already well on your way to PCI compliance. Your credit card processor should be able to educate you on what you need to do to stay compliant – and if they can’t it’s time to start shopping for a new processor. Speaking of, if you’re looking for a payments partner who puts your business first, 100% of the time, look no further than 360 Payments. Give us a call at 1-855-360-0360 or drop us a line on our website – we’d love to show you how we do things differently.
PS – Make sure you’re paying attention to these business security essentials.
PPS – PCI compliance scan failed? Here’s what to do about it.