Ten misconceptions about the PCI DSS standard

Ten misconceptions about the PCI DSS standard

Read the article “PCI DSS certificate”

A lot of misconceptions appeared around the PCI DSS standard certification. If we consider the certification through these false misconceptions, we can get confused in the actions, get frightened of the difficulties or just waste the company’s money. In this article we will consider 10 false misconceptions about the PCI DSS standard certification.

But before we start, let’s remember what the PCI DSS standard is and what its main objectives are.

The PCI DSS data security standard is aimed at protecting the cardholder data which are processed, transferred or stored by trading and processing companies. We repeat this information in each article, since it is the most important one.

The standard contains only 12 requirements. They affect many business processes and security technologies. These requirements are based on the best generally accepted approaches to the card data protection.

The scope of the PCI DSS standard is very extensive, and meeting of all the requirements can seem complicated and confusing, especially for the small shops or restaurants that don’t have any security systems or an IT professional. Such a specialist could provide with the whole information about what it needs to be done to get the PCI DSS standard certificate. It is clear that the budget of small companies is not designed for additional people in the staff. And we think, it is not necessary to hire such a specialist. You can contact our company and we will provide you with the most complete and qualified information.

It also adds the level of complexity, the fact that some manufacturers of security systems or service providers use information about the PCI DSS for the marketing and selling the goods. So, it is implied that their products or services are necessary for undergoing the PCI DSS standard certification.

As a result, business representatives face misperceptions or misconceptions about how to meet all the requirements in order to comply with the PCI DSS standard.

This article tells about the 10 most common misconceptions. Its goal is to help the representatives of both small and large businesses understand more deeply what the PCI DSS standard is.

We hope that after reading this article you will see that the PCI DSS standard requirements and undergoing certification are actually simpler than they seem. The main thing is not to look at this important matter from the false misconceptions perspective!

Before we move on to the misconceptions, let’s remember once again why the PCI DSS standard is needed and what its goals are.

The PCI DSS standard is needed in order to:

  • Protect the computer network.
  • Secure the cardholder data.
  • Actualize a vulnerability management program.
  • Constantly test the computer network.
  • Implement a strict access control system.
  • Monitor the computer network security.
  • Develop and implement an information security policy.


Get a free consultation with our experts

Contact us

Now it’s time to move on to the misconceptions.

Myth №1: Having bought a product from one manufacturer, our company will fulfill all the requirements of the PCI DSS standard.

It is a very common myth. Now we are going to provide you with the right information.

It is incorrect because one product cannot meet all the requirements of the PCI DSS standard. In order not to waste money on the unnecessary products and services, it’s better to consult an auditor who will conduct the certification for your company. Fulfilling the requirements of the PCI DSS standard over and over again can be done without additional financial costs and purchases of the unnecessary products or services.

Myth №2: If we transfer the payment card processing functions to a third-party company, we will automatically fulfill all the requirements of the PCI DSS standard.

Let’s dispel this myth as well! Transferring of the business processes to the third-party company can significantly simplify the procedure for completing the PCI DSS standard certification. It’s true. But it doesn’t mean that all the standard requirements will be automatically met.

It’s important to remember that it’s necessary to develop the policy which will regulate the procedure for data processing and transmission. You should also be sure that your service provider meets all the PCI DSS standard requirements. If you use the services of the third-party companies, do not be too lazy to request from them a certificate of compliance with the PCI DSS standard.

Myth №3: Certification is the responsibility of the company’s IT department.

IT-staff and IT-department can be responsible for the implementation of technical and operational tools and mechanisms. However, to meet the PCI DSS standard requirements, it’s necessary to rectify the business processes related to the staff management and training, internal control, interaction with the suppliers, etc. Therefore, it is very important for the company’s top managers and the heads of key business units to be involved in the PCI DSS project.

Myth №4: The PCI DSS certificate will protect our business from all hacking attacks.

That’s another false myth, and in order to avoid the serious mistakes in the future, you need to get rid of it as soon as possible.

The specialists, who conduct the certification, verify the fulfillment of all the requirements, computer network, protection, and then provide you with the conclusion. It’s like a snapshot of the security status. And it doesn’t mean that the high level of security will be long-lasting.  Hackers and viruses evolve continuously.

Therefore, in order to indemnify your business from the hacking attacks, you must constantly carry out the technical system analysis and eliminate the slightest deviations from the PCI DSS requirements well-timed.

In order to indemnify yourself from the hacking attacks, it’s not enough just to get the PCI DSS certificate. It is necessary to constantly meet the requirements and go though all the recommended procedures. It minimizes the risks but doesn’t give a 100% guarantee.

The certification is conducted once a year and hackers are fagging away around the clock all the year long. You should always remember that.

You won’t be protected by the PCI DSS certificate; you will be protected by the strict compliance with all the PCI DSS requirements.

Myth №5: The PCI DSS requirements are excessively inflated.

In fact, most of the PCI DSS requirements are generally accepted and considered to be the best approach to ensure safety. In addition, it is fine to use the alternatives in the form of compensatory control procedures, but only if your company cannot fulfill one of the PCI DSS requirements for reasons beyond control.

Something that seems to be an excessive detalization and inflated requirements is, in fact, a detailed instruction that not only answers the question of what it needs to be done for safety, but also how to achieve it in the best possible way. That’s what makes PCI DSS the most effective standard for protecting the meaningful data.

The PCI DSS standard requirements for a small online store and an international bank are distinctly different from each other. That’s why, do not believe any misconceptions, better do consult our expert (interlinking).

Myth №6: To undergo the PCI DSS certification, we need to hire an accredited auditor.

This myth has arisen from the fact that a lot of large companies, which have a very complex IT infrastructure, often hire an auditor in order to conduct a qualified study and draw a professional conclusion.

Small companies can take an assessment and prepare all the materials for the certification themselves by inviting an external auditor only for the final verification and issuance of the PCI DSS certificate.

Large companies can hire or also invite an external accredited auditor.

Myth №7: The PCI DSS certification is not the matter of our concern; we process very little card data.

Each and every company that accepts cards as a form of payment must comply with the PCI DSS standard. Even if it conducts only one transaction per year, it is required to undergo the certification.

Myth №8: We will comply with the PCI DSS standard, if we just fill out the questionnaire.

It is not quite true. In order to get the certificate, you need not only the questionnaire but also a certificate of compliance, which was signed by the company director and the external auditor. The certification requires going through the regular procedures for the vulnerability analysis, risk management, conducting the penetration test and monitoring of the information system status.

Thus, compliance with the PCI DSS standard is a never-ending process, not the one-time procedure.

Myth №9: PCI DSS requires storing the cardholder data.

This is another myth which confuses people by providing them with the false information. PCI DSS as well as Visa and MasterCard payment systems discourage storing the payment card data. The need to store the card data must be justified by the business requirements, and these data must be securely protected by encryption.

Myth №10: The PCI DSS certification is too complicated.

PCI DSS is only 12 requirements, which have been long familiar to all of the specialists in the field of information security.

Meeting the requirements is the basic business hygiene. If your company cannot afford to hire its own IT security specialist, who would understand all the standard requirements, you can contact our company and we will help you implement the best world practices in the field of security. With our help, you will quickly and simply undergo the certification for compliance with the PCI DSS standard.

Many people use the word “difficult” instead of the “expensive” one. Thus, they increasingly spread this false myth. Do assess the possible risks and losses and make sure that they are great, for a small business they are just fatal. It is better to undergo the certification for compliance with the PCI DSS standard because, in fact, it’s very simple.

In this article we have analyzed the 10 most common misconceptions. Of course, there are many more. Do not waste your time on them. Consult our specialists, they will definitely provide you with the real information and also will help you to find the right solution.

By Oleksandr Kuberskii and Igor Demchuk

“IT Specialist” – G+


Get a free consultation with our experts