Five misconceptions and myths surrounding PCI compliance.

Business tips
Jereme Sanborn


Just as anyone who operates a vehicle must have a driver’s license, all business owners who handle customer credit card information must comply with the data security standards set forth by the Payment Card Industry. Many myths and misconceptions surround this set of standards, often referred to as PCI DSS or PCI compliance. Being able to separate myth from reality can help you as an entrepreneur ensure that you remain in compliance and that sensitive customer data is always protected.

Myth 1: These rules don’t apply to me.

Whether you run a tiny food truck that only operates seasonally or you’re the CEO of a multinational corporation, you must comply with PCI standards. To ensure that secure payment processing occurs with all merchants, companies are divided into four different levels depending on their annual sales volumes. Some merchants may be required to complete Self-Assessment Questionnaires (SAQ), quarterly Attestations of Compliance (AOC), and a quarterly network scan through an approved vendor. The largest businesses at the top level must also take additional compliance steps. Bottom line: No one can weasel their way out of PCI compliance.

Myth 2: PCI compliance is required by the federal government.

In truth, neither Washington, D.C. nor your state dictates adherence to these standards. They are authored and administered by the credit card companies and enforced by card networks, banks, and merchant service providers. Bottom line: Even though you won’t officially be breaking any law by failing to comply, PCI DSS were written for very good reasons. Failure to toe the line could prove to be disastrous for your customers and could even cost you your business.

Myth 3: Using a third-party payment processor lets me off the PCI compliance hook.

In some respects, this myth is grounded in truth. After all, payment processors do comply with data security standards and you may never need to complete an SAQ or an AOC. However, your company probably contains additional systems and networks separate from your third-party processor. Bottom line: It is your responsibility to ensure that your company’s network security, passwords, firewalls, and other systems are PCI compliant.

Myth 4: My business is exempt from PCI compliance because we do not store data.

Although you might not hold customer information, your company probably deals with it in other ways such as transmitting it wirelessly and over networks, phone, and fax lines. Bottom line: Data must be respected at all stages, not just when it is stored.

Myth 5: I can make up my own security compliance standards.

Unlike many other protocols that are open to interpretation, PCI DSS is both specific and thorough. If you don’t believe this is true, go to the PCI Security Standards Council’s website and peruse the documentation, which weighs in at a hefty 73 pages, plus supporting information. Bottom line: Understanding PCI compliance involves adhering to definitive, quantifiable measures. While the learning curve may be steep, the security and protection these rules provide will benefit your business and customers both now and in the future.

Finally, don’t fall victim to the misconception that you have no choice but to figure out PCI compliance on your own. If you are overwhelmed or confused, seek expert assistance from a reputable third-party consultant. Doing so can ensure that your business runs properly and that your customer data is well-protected.