You are here

Common Misconceptions in PCI-DSS Compliance

Written by: Ryan J. Rodrigue, CISA, CISSP
Large or small, any business that takes credit card payments has certain obligations under the Payment Card Industry’s Data Security Standard (PCI-DSS).  Navigating complex compliance requirements can be a daunting prospect, especially for small businesses without specialized PCI expertise.  PCI includes hundreds of required controls, different levels of compliance testing and certification, and various questionnaires and reports.

We often find misconceptions among our clients who are struggling to get their arms around PCI.  Here are some of the most common:

I PROCESS A LOW NUMBER OF CREDIT CARD TRANSACTIONS, SO I DON’T HAVE TO BE COMPLIANT WITH ALL RULES
The PCI-DSS requirements apply to all merchants, regardless of the size of the company or how many transactions are processed per year.  It’s important to understand the distinction between PCI-DSS compliance versus validation.  Compliance simply means adhering to the control standards defined within PCI-DSS.  Validation is an established process to prove to the PCI that you are in compliance.

Each payment brand establishes “merchant levels” (1 through 4) and assigns them to each merchant based on total volume of transactions processed annually.  Your merchant level determines how you will need to validate your PCI-DSS compliance.  Smaller vendors will only need to complete and submit a Self-Assessment Questionnaire (SAQ), while larger vendors will be subject to a formal audit by a Qualified Security Assessor (QSA).

Regardless of your merchant level or the method of validation, you are still required to comply with all of the applicable PCI-DSS control specifications.

I DON’T STORE CREDIT CARD INFORMATION, SO I DON’T HAVE TO BE COMPLIANT
PCI-DSS applies to storing, processing, and transmitting credit card data.  Even if you only pass the card information to a third-party payment processor, you are still required to comply with the applicable PCI-DSS controls.

There is good news.  If you don’t store cardholder information and you meet certain other criteria, you may not need to complete the full SAQ.  There are five different SAQ versions, with SAQ D being the most comprehensive.  Depending on the manner that you accept transactions and the design of your network, you may only need to complete one of the smaller, less cumbersome SAQs that contain fewer security control specifications.  This can save you a lot of effort in both compliance and validation.

I’M ISO/SOX/SOC/HIPAA COMPLIANT, SO I MUST BE PCI-DSS COMPLIANT
There are some overlaps between the many compliance regulations and frameworks; establishing a strong security and compliance environment in general will certainly help with PCI-DSS.  PCI-DSS differs from most other compliance standards, though, in that its controls are specific and prescriptive.

Most standards lay out general control objectives or criteria and allow the organization to determine how to achieve them.  PCI-DSS contains twelve core requirements comprising hundreds of specific security controls that must all be implemented.  There is far less room for interpretation with these controls than with other compliance standards.

Network monitoring or user authentication controls that satisfied your SOC audit, for example, may not be sufficient for PCI-DSS requirements.  Some organizations are surprised to discover that previously acceptable controls now fail a PCI-DSS review.

I PASSED A VULNERABILITY SCAN, SO I’M SECURE AND COMPLIANT
If you had a vulnerability scan performed by an Approved Scanning Vendor (ASV), you have some assurance that your systems are technically secure.  But we all know that security does not equal compliance.  There are many other controls, both technology and process-based, required in order to achieve PCI-DSS compliance.  In fact, establishing a process to perform periodic, ongoing vulnerability scans is included as just one of the control requirements specified by PCI-DSS for system security.

If you’re feeling lost or overwhelmed by PCI, you’re far from alone.  Our IT assurance professionals have experience helping companies large and small achieve PCI certification.  Our services include:

  • Performing a gap analysis to ensure you have the correct controls in place
  • Assisting in the completion of a Security Assessment Questionnaire (SAQ)
  • Acting as a Qualified Security Assessor (QSA) to provide a formal Report on Compliance (ROC) for your organization

If you have any questions on this topic, please contact Ryan J. Rodrigue, CISA, CISSP, Senior IT Assurance Manager, at 617-428-5443 or rrodrigue@wolfandco.com

Learn more about Wolf & Company's PCI DSS Services.