Merchants are becoming acutely aware of the mandated requirements of the Payment Card Industry Data Security Standard (PCI DSS). Unfortunately associated with this are many misconceptions or myths. It is important that members of the merchant service community have a detailed understanding of PCI and can assist merchants with the complexities of compliance.

MYTH 1: I DO NOT HAVE TO BE COMPLIANT

This is untrue. Every merchant who in any manner accepts, handles, stores or transmits credit card information must be compliant. This extends to all merchants regardless of the type of credit card environment they are in. There are no exceptions for merchants who are in the card present environment.

MYTH 2: IF I HAVE PENETRATION SCANS I AM COMPLIANT

This is untrue. Penetration scans or vulnerability scans represent a small fraction of the requirements. Having penetration scans done is important but it is not all that is required. The merchant must complete the 75 questions that make up the annual self-assessment questionnaire (SAQ).

MYTH 3: FOR THE SAQ I CAN JUST ANSWER YES TO PASS.

This is untrue. You should only answer yes if you both understand the question and have the documented evidence that the answer should be yes. Fabricating yes answers is both inappropriate and opens the merchant to severe penalties including loss of credit card privileges.

MYTH 4: NO ONE WILL EVER LOOK AT MY ANSWERS TO THE SELF-ASSESSMENT QUESTIONAIRE

This is untrue. As part of the requirements for PCI compliance each merchant must file the SAQ with his or her acquirer. If a merchant is compromised, risk rated, randomly audited or for other reasons the response to the SAQ will be examined.

MYTH 5: ALL I NEED TO DO IS TO GET MY PENETRATION SCAN COMPLETED.

This is untrue.  It is vitally important to examine the results of the penetration scans and note findings. Each abnormal finding must be addressed regardless of which of the four levels from informational to severe is listed. Severe findings must be remediate within 30 days.

MYTH 6: IF MY SOFTWARE OR TERMINAL IS COMPLIANT THAN I AM COMPLIANT.

This is untrue. Every merchant to answer the questions of the SAQ correctly and honestly must have written policies, procedures and auditable logs. There are significant physical security requirements that are required as well which must be met. Compliant software and terminals arecritical but not the entire answer.

MYTH 7: IT CAN’T HAPPEN TO ME.

This is untrue security breaches happen everywhere and can happen to anyone at anytime.

MYTH 8: ALL SECURITY BREACHES OCCUR FROM EXTERNAL SOURCES.

This is untrue over 90% of security breaches occur because of employees are others with internal access to the merchant.

MYTH 9: MY PROCESSOR IS RESPONSIBLE FOR THE FINES SO WHY SHOULD I CARE.

This is untrue. The merchant is ultimately responsible for all financial fines and penalties. This can be up to $25,000 per month per event.

MYTH 10: I CAN DO THE SAQ MYSELF

This is true but no one should. The 75 questions on the SAQ are complicated and complex to answer them requires a detailed understanding of the meaning and intent of each of the questions.

With the above said it is incumbent for the MLS and or ISO to have a detailed understanding of PCI. The fact needs to be strongly emphasized to each merchant that they must comply with the PCI. Failure to do this can lead to civil penalties, criminal prosecution and loss of credit card accepting privileges.

The payment brands have spent considerable sums attempting to educate the merchant population. A number of resources are available to assist you in helping the merchant achieve compliance. The Green Sheet has published a number of articles addressing these issues. In addition each of the payment brands have information on their web sites defining the requirements and the various categories of merchants.

We strongly recommend that each merchant obtain qualified assistance in achieving PCI DSS compliance. Knowledge of PCI and what it really takes to be compliant will help you the ISO or MLS maintain, retain and obtain merchants.