McAfee Mythbusters: 5 Misconceptions About PCI Compliance
As more and more transactions are carried out online, credit card security and the need to achieve universal PCI Data Security Standard (PCI DSS) compliance continue to be a key issue. Many eCommerce merchants, especially retailers who fall within the small to medium category, are neglecting to keep up to date with the PCI standards required for accepting electronic payments.
For online merchants, PCI DSS compliance is a vital step in protecting the safety of customers’ financial transactions, but many see it as a once a year obligation rather than an ongoing process. There are many misconceptions around the benefits as well as the costs of compliance, and below we discuss 5 key PCI-related myths and the real facts behind them.
Myth #1: Small companies don’t need to worry about PCI DSS compliance
According to Visa’s most recent PCI Compliance Levels Report, the speed of adoption for many smaller companies has been alarmingly slow, with PCI compliance for Level 3 merchants only growing slightly from 57 percent to 58 percent since last September.
More so than their larger counterparts, small companies are especially vulnerable to consumer apprehension, where the trust associated with global brands is not present. For these merchants, a good business reputation must be developed organically, and being PCI compliant is a huge step in overcoming consumer fears about data and transaction safety.
Myth #2: There is no need to bother with PCI Compliance, when even PCI compliant companies can be breached
The reality is that hackers are always finding new and creative ways to breach sensitive data. As we saw earlier this year in the case of Global Payments, even companies who have previously embraced PCI standards can still be attacked. Nevertheless, this is absolutely not a reason to shirk compliance.
Simply demonstrating PCI DSS compliance is not enough to ensure security – it is an ongoing process to maintain it. Compliance should be just one of the many tools in your network security arsenal. The PCI DSS requires quarterly scanning, but many businesses opt to implement daily scanning as part of their overall security strategy. For online businesses small and large, achieving and maintaining PCI compliance should be a priority, but not the only aspect of security that you focus on.
Myth #3: A data breach will not affect business revenue
Even if business revenue doesn’t directly or immediately suffer, the cost merchants face when a worst-case scenario occurs can be devastating. It’s your job to protect customer data at the point-of-sale, and if cardholder data is stolen – it’s your fault – no matter the size of your business. If a breach occurs, you could incur fines, penalties, and even the termination of the right to accept payment cards.
Beyond the immediate effects, a company’s reputation can also be irreparably damaged – causing consumer confidence to plummet and revenue to suffer in the long run. CEOs and business owners need to be aware of the ultimate costs of a breach and take every precaution necessary to prepare for it – starting with PCI compliance.
Myth #4: Once PCI compliance has been achieved, the entire business will be secure
Heartland Payment Systems, which was very publicly breached in 2008, had been certified as PCI compliant before the attack. But the source of their breach was located outside the systems that were certified as compliant. Hackers exploited this weakness, gaining access into other systems that connected to their certified network. Merchants who are not aware of vulnerabilities, or take the steps to remediate in a timely fashion, are at risk for being breached. Daily scanning is recommended in order to be aware of such vulnerabilities.
PCI DSS only addresses cardholder data security, not the security of your entire network. Compliance to payment standards should be part of a larger security plan that encompasses all areas of your business.
Myth #5: There will be no additional ROI from PCI compliance for small businesses
Perceived security is a huge factor in the success of online retail stores, especially for small and newly established merchants. If potential customers don’t feel safe entering their payment information, they will simply go somewhere else.
So, while PCI addresses the need for basic payment security, the real ROI comes from consumer confidence. Maintaining your reputation as a safe and reliable business can mean the difference between higher sales or none at all.
PCI Myths: Busted
PCI compliance is a critical part of your business foundation that should be built upon to ensure secure financial transactions and consumer confidence. While it is not a fool-proof method in itself, keeping up with PCI standards shows that you are taking the necessary steps to keep your customers’ data safe.
Visit our website for more information on how the McAfee PCI Certification Service can provide your company with step-by-step compliance guidance, and be sure to follow us on Twitter at @McAfeeSECURE for the latest in eCommerce news and events.