Home > Credit Card Processing

7 PCI Compliance Myths And Misunderstandings

By Phillip Parker

Nobody Likes PCI Compliance

PCI Logo
PCI Logo
For many merchants, PCI compliance is their biggest payment processing headache. PCI DSS requirements are usually presented as a tangled web of technical requirements chock full of industry jargon and unrealistic demands. And, in some cases, that’s accurate. As a result, most merchants don’t invest the time or effort to really learn the PCI DSS’s complexities. They rely on their sales agents, their fellow merchants, and their own common sense to meet the bare minimum of PCI requirements.

The general mystery surrounding PCI has allowed several myths about PCI compliance to spread throughout the industry. In their rush to simplify the process, poorly trained sales agents and uninformed merchants alike have unknowingly passed along misinformation about PCI compliance, and in doing so have made a complicated regulatory framework even harder to understand. To help you sort through what is fact and what is fiction, we’ve gathered the following list of common myths about PCI compliance.

MYTH: PCI compliance is a government regulation.

The Payment Card Industry Data Security Standard (PCI DSS) is neither a law nor a legal recommendation. It was created in 2004 by Visa, MasterCard, Discover, American Express, and JCB, and it is entirely enforced by card networks, banks, and merchant services providers rather than law enforcement. No merchant can be subject to legal penalties for failing to maintain PCI compliance.

The credit card processing industry does not heavily publicize the origin of PCI compliance for a few reasons. For one thing, if merchants suspect that PCI compliance is mandated by law, then they are more likely to comply. For another, if merchants think that these regulations are imposed on their credit card processors, then they are more likely to accept the fees that are charged in relation to them. But make no mistake: PCI compliance fees and PCI non-compliance fees exist solely because the credit card processing industry has created its own set of costly data security regulations for acquirers, payment processors, and merchants.

You are still advised to maintain PCI compliance due to the extremely high cost of data breaches. However, there are many ways to become PCI compliant. Different merchant account providers require different PCI fees and paperwork from merchants, and your costs for PCI compliance can be as flexible as your per-transaction processing fees.

MYTH: If you are PCI compliant, you can’t be fined or sued over a data breach.

Even if you are PCI-compliant at the time your payment processing system is breached, you can be fined hundreds of thousands of dollars or sued by your credit card processor, your acquiring bank, or your customers for damages stemming from a hack. PCI compliance cannot protect you from these costs. The only way you can protect yourself from fines or legal action following a breach is to insist on a clause in your merchant account contract that indemnifies you under certain circumstances. Most payment processors are comfortable with freeing you from liability if their systems are determined to be the source of the breach. They will also likely be comfortable with allowing a third-party forensics expert to investigate the source of the breach. However, it is unlikely that your provider will contractually indemnify you from legal fees or bank-imposed fines following a breach to your own systems, regardless of whether you are PCI compliant.

This doesn’t mean that PCI compliance is worthless. To the contrary, you will have a stronger legal defense and more leverage in an investigation if you can prove that you fully adhered to PCI DSS guidelines at the time of the breach. You just shouldn’t assume that compliance offers you any significant legal protection unless that protection is specifically outlined in your contract.

MYTH: PCI compliance fees can’t be changed because they are passed down from the banks.

Some merchant account providers like to insist that PCI compliance is a cost passed down to them by the banks, and that there’s nothing they can do to lower your PCI compliance or non-compliance fees. This is untrue.

There is no fixed cost of PCI compliance charged to your payment processor by the banks. Your payment processor does incur costs associated with maintaining its own PCI-compliant systems and ensuring that your business remains PCI compliant, but these costs are variable and internally managed. Your processor charges you PCI compliance fees in order to recover its costs of maintaining PCI compliance, but there’s no way for you to know whether those fees bear any relation to the processor’s actual costs. PCI non-compliance fees in particular are simply punitive fees intended to motivate merchants to complete the PCI compliance process. Your processor may also require that you pay a third-party PCI scanning service to audit your location on a quarterly or annual basis, but that is simply another way to shift the cost of reporting PCI compliance to you.

Some PCI compliance fees are justified, as the entire PCI DSS framework is a rigorous and ever-changing standard imposed on all credit card processing companies. But most PCI compliance fees are negotiable, and a good provider will be willing to work with you to find a way for you to remain PCI compliant without paying exorbitant quarterly or annual fees.

MYTH: Outsourcing your credit card processing makes you PCI compliant.

If you accept online payments through a third-party payment processor like Amazon or you use a non-traditional credit card processing app like Square, you may think that you are automatically PCI compliant. And it is true that some services do not require their merchants to pay PCI compliance fees or complete Self-Assessment Questionnaires. A merchant account aggregator like Square, for instance, is technically the merchant of record for each transaction and therefore must assume the burden of maintaining PCI compliance for all of its sub-accounts (a.k.a. its merchants).

However, while your payment processor may offer PCI-compliant software or hardware, your specific business environment can very easily fall out of PCI compliance. If you improperly store credit card data at your location, use shared computer accounts for all employees, operate without a firewall or antivirus software, or incorrectly configure your business’s website, you may be in violation of PCI best practices. In other words, third-party processors like Square only free you from the burden of paying for and reporting your PCI compliance; they do not ensure that you are automatically PCI compliant.

MYTH: You don’t need to be PCI compliant if you only accept a low number of credit cards.

There is no minimum threshold of credit card transactions that triggers the requirement to be PCI compliant. Even if you are a seasonal or very small business, you are expected to maintain PCI compliance at your business.

You may hear about “levels” of PCI compliance. There are indeed four levels of PCI compliance that depend on the number of Visa transactions a merchant processes:

PCI Compliance Levels 1-4

  • Level 1: Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by any Visa region
  • Level 2: Merchants processing 1 to 6 million Visa transactions annually across all channels.
  • Level 3: Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.
  • Level 4: Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.

For levels 2 through 4, the annual PCI validation requirements are identical. These merchants must complete a Self-Assessment Questionnaire once per year, submit an Attestation of Compliance (AOC) once per year, and conduct a quarterly network scan by an Approved Scan Vendor (ASV) if applicable. Level 1 merchants must file a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or an internal auditor appointed by the company once per year, submit an AOC once per year, and conduct a quarterly network scan by an ASV if applicable.

MYTH: Completing a PCI Self-Assessment Questionnaire (SAQ) ensures that you are PCI compliant for a full year.

Completing an SAQ may meet your PCI paperwork obligations for a full year, but it doesn’t ensure that your location remains PCI compliant for a full year. If your business begins to operate out of the scope of PCI compliance after you submit your SAQ, you’ll be just as at-risk for breaches and fines as a business that didn’t even bother to submit an SAQ. If it helps, you can think of PCI compliance as a year-round effort to continue processing payments securely, while the SAQ is merely an annual checkup to ensure that your efforts are sufficient.

MYTH: PCI compliance involves hundreds of complicated requirements.

In its current form, PCI compliance only has 12 basic requirements. Assessing these requirements and proving that your business adheres to them can be extremely complicated at times, but the actual demands placed on merchants are 12 common sense measures:

12 Requirements for PCI Compliance

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software on all systems commonly affected by malware.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

There are a large number of subsections and addendums to these directives, and it can be irritating to work your way through the full scope of their demands. But if you can keep in mind that every PCI compliance audit or SAQ is designed to bring you into compliance with these 12 core principles, it may keep you from feeling overwhelmed by the process of maintaining compliance.

 

PCI Compliance Seems Confusing For A Reason

To a certain extent, credit card processors don’t want you to know how PCI compliance works. After all, if they are the only ones who understand the complexities of data security, then you are more likely to pay them or their partners to handle it for you. Even more insidiously, if you don’t know what your responsibilities are, then they can pin the blame on you in the event of a data breach. That’s why it’s important to know the facts about PCI compliance. If you can stay informed and conduct your own research about PCI compliance, then you can regain the upper hand when negotiating with your processor.

Sources consulted:
https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
https://usa.visa.com/support/small-business/security-compliance.html

About The Author

Phillip Parker

In the late 2000s, as a broke college student struggling to make ends meet, I was contacted by a merchant services company after uploading my resume to a job listings website. This company promised substantial commissions and ongoing residual income for simply persuading businesses to accept credit card payments. It seemed straightforward enough—after all, what business doesn’t need to process credit card payments? Following a phone interview with a persuasive “sales director,” I found myself embarking on what I believed would be an easy job that would significantly boost my bank account with reliable monthly income and large sales commissions. However, the lessons I learned would profoundly change my life in ways I could never have imagined.

After completing my sales training, I hit the ground running, eager to make sales. This broke college student was determined to improve his financial situation! My first attempt at a cold call, with no prior appointment, ended with a burly man in his 50s yelling at me to leave, claiming he had been “totally robbed” by someone like me before. As I hastily exited, puzzled and intimidated by his reaction, I couldn’t help but wonder what he meant. Throughout the day, I encountered similar hostility from other business owners, all expressing disdain for the industry I had been so excited to join that morning. Confused and curious, I decided to shift my approach from selling to listening.

I quickly uncovered that the merchant services sector was riddled with unethical practices, including hidden fees, deceptive marketing, fine-print traps, and much more. It dawned on me that I had nearly been tricked by a dubious company into selling overpriced services under contracts with long-term commitments, all without being fully aware of what I was promoting. Outraged, I resigned from that company but learned that there were indeed ethical credit card processing companies that treated their clients fairly. Over the next four years, I worked for one such company, assisting hundreds of businesses in securing cost-effective processing solutions. Yet, I also met many more who had been misled and trapped in onerous service agreements. Determined to help people steer clear of these unscrupulous providers, I launched this website in my spare time, dedicating myself to researching and sharing my findings on every merchant account provider I could investigate.

Gradually, more and more business owners began to discover my articles. As word spread, search engines started to rank my content highly, amplifying its reach. My efforts were making a difference! Eventually, the website garnered enough traffic to enable me to leave my job and focus on it full-time, a journey that has now spanned over a decade. This path has not been without its challenges; unscrupulous company owners have tried to intimidate and sue me into silence on several occasions. Yet, I have stood firm against each threat. Here I am, continuing to publish reviews and articles, hoping to safeguard others from the pitfalls of the credit card processing industry.

If you believe in my mission and wish to contribute, please share my articles on your websites and social media. Thank you for visiting!

Follow Phillip Parker

Reader Comments

Tell Us What You Think

1 User Reviews

  • Andre

    It’s frustrating to hear about the misinformation and myths surrounding PCI compliance, and how it has been made even more confusing by poorly trained sales agents and uninformed merchants. It’s helpful to learn that PCI compliance is not a government regulation, but rather a set of standards created by the major credit card companies and enforced by card networks, banks, and merchant services providers. However, the high cost of data breaches means that it’s still important to maintain PCI compliance, and it’s good to know that there are different ways to become compliant depending on your merchant account provider. It’s important to take the time to understand the requirements and costs associated with PCI compliance to ensure that you’re meeting the necessary standards and protecting your business from costly breaches.

Tell Us How They Treated You

Sharing your experience influences our rating and helps other business owners make informed decisions. Please take a moment to tell us if they are serving you well. Your email address will never be published, shared or sold. We only use it to authenticate that you are a real person and, if you select the option for it, to let you know if someone replies to your comment. Required fields are marked *

Comments must contain details about your experience. Please do not use ALL CAPS. Self-promotion, marketing content, or contact information of any kind will not be published. By submitting a comment, you are agreeing to our Comment Policy

Copyright

Copyright © 2024 CardPaymentOptions.com, Inc. (Digital Fingerprint: 0d38c6720f0d78a701b74d58653af608). Getting paid to re-write this page? Click here to earn a reward.

Any unauthorized copying and reproduction of the content of this page, including all meta data and computer code, is strictly prohibited. While the information in the above article is believed to be accurate as of its publish date, the author and publisher make no representation or warranties with respect to the accuracy, applicability, fitness, or completeness of the contents. The author and publisher shall in no event be held liable to any party for any direct, indirect, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of this material, which is provided “as is,” and without warranties. Any and all use of trade names and/or marks are for identification purposes only and shall not be construed as a claim of affiliation, or otherwise, with CardPaymentOptions.com, Inc. ("CPO") in any form. The sole purpose of the material presented herein is to alert, educate, and inform readers. It is not intended as legal or financial advice. We may earn revenue if you obtain services from a provider that we recommend. See this page to learn how we support our operations.