PCI Compliance - dispelling some common myths

I was supposed to be in Paris today, auditing various PCI related things. Unfortunately, the fire in the Channel Tunnel has put paid to those particular plans. Not that I’m too upset – I’m rather reluctant to travel too far right now because my wife is heavily pregnant and it’ll be sods law that she’ll go into labour the moment I’m more than a couple of hours away from home.

I’ve recently been putting a lot of energy into dispelling within the organisation one or two myths about PCI compliance. The most common that I come across being:

1) We’re alright if we can pass most of the criteria.

The pass mark is 100%. The standard is supposed to represent a minimum baseline for protecting data, so if you can’t meet all the criteria then you’ve still got work to do.

2) We don’t do any eCommerce so the standard doesn’t apply.
PCI applies to any company within which card data is stored, processed, or transmitted by any means. So, for  example, if you have a shelf full of paperwork that contains customer credit card details then that’s still cardholder data and the standards still apply.

3) We only do a handful of credit card transactions so PCI is not applicable
It doesn’t matter if you are doing 10 or 10,000 transactions, the standards are set to protect all credit card data regardless of the scale of the business.

I consider PCI compliance to be a business-as-usual activity. We’re taking credit card payments so we need to putting the right controls around it. We shouldn’t need regulation to tell us how, we should just be doing it.