7 Costly Misunderstandings About PCI DSS Compliance

PCI compliance isn’t at the top of everyone’s to-do list. But make any of these common mistakes, and you can be fined a substantial amount of money. Avoiding these seven mistakes can mitigate this exposure and makes a complex process a little more forgiving.

Believing without verifying

Outsourcing does not automatically ensure that your business is PCI compliant. For example, a third party may use the ISO 27001 security standard as evidence of compliance. Always ask to see the Attestation of Compliance as ISO standards alone do not guarantee compliance.

Choose your partners wisely and at least make the following checks to verify PCI compliance:

Don’t accept ISO standards in place of an AOC. If this document is not supplied, you’ll need to track their processes to ensure full PCI DSS compliance

Take time to read the AOC. It should apply to your actual business environment and be clear on your responsibilities as a customer. If the PCI Consultant has written the AOC document in response to your request, then you may not have followed PCI compliance processes

Establish through the proposed contract, which is liable for fines, forensic analysis and the independent compliance report if a breach occurs. You’ll require a recorded agreement if the worst should happen

Look for an AOC signed by a PCI QSA as a sign that the third party is compliant and has been independently assessed

Confusing vulnerability scans with full compliance

Passing the vulnerability scan is only a tiny part of the more comprehensive PCI compliance process. Avoid third parties that provide a PCI DSS compliance badge based on vulnerability testing alone.

Completing the wrong Self Assessment Questionnaire

Ensure that your organisation has completed the appropriate SAQ. These correspond to specific circumstances. For example, if you handle face to face payments, you may need to complete an SAQ B, while an eCommerce site may require an SAQ A.

While these may need you to fulfil around 30 requirements, the total SAQ D covers 330 compliance items. Therefore, completing the SAQ that relates directly to your compliance needs makes sense.

Not realising your SAQ always covers web hosting

Check with your third party web host that they bear PCI DSS responsibilities in your environment.

While your third party providers may offer PCI compliant software, it may not cover your specific business environment. If your business improperly stores data, operates without a firewall or your business website is incorrectly configured, you may be in PCI violation. As an additional safeguard:

At a minimum complete SAQ A

Consider additional controls, including File Integrity Monitoring (FIM)

Ensure someone is tasked and given the time and resources to ensure PCI compliance

Believing PCI compliance doesn’t apply as you don’t store card data

PCI compliance covers transmitting and processing as well as storing data. Therefore, if you undertake any of the following processes, PCI compliance applies to you:

You’re transmitting data if card payments are taken via form submission on your website and then transmitted to a third party

If you take telephone payments and enter details via a workstation, you’re transmitting data, and you must properly secure the workstation

Card data can be transmitted via a VoIP network which then falls under PCI compliance

Even if you outsource all payment details to a third party via a redirect page, you will still need to complete SAQ A as standard

If you believe that outsourcing in itself ensures PCI compliance, you could be making a big mistake. However, as a business, you still have a responsibility to ensure that your third-party provider is entirely PCI compliant or that you’re actively tracking their progress to full compliance.

Not taking threats seriously because you won’t be fined over a data breach

The fundamental purpose of PCI DSS is to prevent loss through fraud. Not fully responding to PCI compliance requirements makes it easier for an attacker to exploit a data breach. Once that happens, you’ll trigger a chain of events:

An initial fine

Independent forensics investigation

Independent PCI QSA report on compliance by a 90-day deadline

Further fines for not meeting the requirements by the deadline

Even if you’re PCI compliant, you can face fines of thousands or be sued by your acquiring bank, customers and card processors. Therefore, compliance offers greater legal leverage than specific legal protection unless specified in your contract.

Not spotting the warning signs

These are some of the warning signs that can flag up a lack of full PCI compliance:

Your third party provider is slow to apply security updates or only uses them to the website, not the underlying architecture

There’s no documented response plan should a breach occur

Your provider agrees upon no PCI compliance responsibilities

To avoid this mistake, look for the following signs:

Your third-party provider quickly supplies you with the AOC document, signed by a QSA

Website admin requires two-step authentication, and access can be limited

The provider is happy to be externally audited

PCI compliance can be complicated, but avoiding these mistakes will protect your business if a breach occurs. Schedule a free consultation today to see how we can help you be PCI Compliant!