10 Common Compliance Myths Person Image

10 Common Compliance Myths

1. Compliance requires a simple, one-time solution.

Merchants are always seeking the magic bullet of security: the one product or service that will make them compliant and keep their data safe. The truth, however, is that compliance is an ongoing series of risk assessments and improvements.

2. Outsourcing = Compliance

Having a merchant services provider handle your credit card processing is smart, but it does not relinquish you from the responsibility of becoming compliant. When you consider that compliance is a matter of security, and that the second leading cause of data security breaches is internal mishandling of sensitive information, it becomes clear that compliance must always be an in-house priority.

3. Compliance is the tech guy’s job.

There’s no question that technology is the key component of data security, but there’s more to maintaining compliance than installing a firewall or antivirus program. Noncompliance has the potential to impact every aspect of your business, from accounting to marketing, so getting compliant is everyone’s job.

4. Getting compliant guarantees that my data is safe.

Simply put, there are no guarantees. There’s a reason that compliance is an ongoing process: crime doesn’t sleep. Thieves and hackers are constantly inventing new ways to invade networks and steal information. Compliance is a crucial achievement, but data security requires constant vigilance.

5. Compliance is too complicated.

Some merchants have the misguided notion that achieving compliance requires them to complete a number of unnecessary and irrelevant tasks. In truth, the steps to compliance consist of some of the best practices in data security. By meeting the data security standards for compliance, you are going a long way to keeping your sensitive information safe.

6. To become compliant I need to hire my own security expert.

Certain aspects of PCI compliance require help from an outside expert. PCI scans  can only be conducted by an approved scanning vendor and compliance audits necessitate bringing in a qualified security assessor. But not all merchants are required to meet the same criteria to become compliant. Small businesses, for example, are not required to complete a compliance audit. Also, the first requirement of compliance is completing the self-assessment questionnaire (SAQ), which requires no outside help.

7. I’m a small business so compliance doesn’t apply to me.

Wrong. All businesses that process credit card payments are required to meet compliance standards, regardless of size or sales volume. If you accept credit cards, you must be compliant.

8. Completing the SAQ makes me compliant.

While this is sometimes the case, more often than not the self-assessment questionnaire (SAQ) serves as a guide to what you must do to become compliant. The SAQ is a risk assessment tool. Upon completing it, you may find that there are additional steps you must take to achieve compliance, such as completing a PCI scan. Even if the SAQ finds that you’re already compliant, the work is just beginning. Remember that compliance is a process. If you do not continually assess and improve, you may quickly fall out of compliance.

9. I must store cardholder data in order to be compliant.

Actually, the opposite is true. The PCI Data Security Standards (PCI DSS) specifically discourage the storing of customer information and clearly prohibit the storing of credit card magnetic strip data. The PCI DSS further stipulates that all data, whether stored or not, must be encrypted.

10. Compliance is practically impossible.

Some merchants see the 12 requirements of the PCI DSS as a crucible of complex procedures and assume that getting compliant is beyond their ability. Yet many of the protocols in the PCI DSS are just good security sense and will help you to better protect your data. Others complain about the expense of compliance. However, when compared with the damage caused by the average data security breach, the cost of getting compliant is nominal.

The information on this page is not intended to be a source of legal advice. Therefore, you should not rely on the information provided herein as legal advice for any purpose, and should always seek the legal advice of competent counsel in your jurisdiction.