PCI-DSS (Payment Card Industry Data Security Standard) certification is a set of security standards designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

Credit Card – Photo by Mark OFlynn on Unsplash

I’ve already told you about the standard: https://medium.com/@btk667/la-norme-pci-dss-gestion-des-cartes-de-crédits-72b6a764dfb2

And when updated: https://medium.com/@btk667/pci-dss-4-0-quoi-de-nouveau-9b01d8cc1177

On the other hand, there are a number of myths surrounding PCI-DSS certification that some companies still mistakenly believe.

Here are 20 such myths:

  1. PCI-DSS is only necessary for large companies: PCI-DSS applies to any company that accepts, processes, stores or transmits payment card data, regardless of size or transaction volume. This includes e-commerce companies, physical stores and those using mobile terminals. Even small businesses and those who outsource their payment services remain responsible for ensuring PCI-DSS compliance.
  2. Once certified, you stay certified: PCI-DSS compliance is ongoing and must be validated annually.
  3. Compliance is too expensive: The cost of non-compliance, in terms of fines, reputation and security incident management, can be far higher than that of compliance. What’s more, being PCI-DSS certified can reduce the service charges associated with each transaction, offering a tangible economic advantage.
  4. Compliance guarantees total security: Although it improves security, PCI-DSS compliance cannot guarantee 100% security against all forms of cyber-attack.
  5. Small businesses are not targeted by hackers: Small businesses are often targeted precisely because they take security less seriously, lacking the knowledge or even the motivation to organize themselves, which makes them vulnerable.
  6. Only online transactions must be compliant: All transactions involving payment card data, whether online or offline, must be compliant.
  7. Compliance is only the IT department’s business: PCI-DSS compliance involves the whole company, including management, finance, human resources and so on.
  8. Cloud service providers take care of everything: Even if you use external cloud services, you’re still responsible for PCI-DSS compliance of your data.
  9. Compliance is a one-off project: PCI-DSS compliance requires ongoing commitment and regular adjustments to changes in the business and technological environment.
  10. Using only approved payment terminals ensures compliance: While this is important, compliance encompasses much more, including policies, procedures and employee training. For example, the merchant must check that the terminal has not been modified.
  11. Encrypted stored data does not require compliance: Encryption is one element of compliance, but other requirements must also be met.
  12. Only magnetic stripe or chip data is affected: All payment card data, including card number, expiry date and security code, is affected by compliance.
  13. Certification is too complex to achieve: Although demanding, compliance is achievable with proper planning and resources.
  14. Companies outside the EU or the USA are not affected: Any company processing payment card data from the major card brands is affected, regardless of its location.
  15. PCI-DSS is static and never changes: The PCI-DSS standard is regularly updated to keep pace with new threats and technologies.
  16. Compliance is only technical: Compliance also includes administrative and organizational aspects.
  17. Only card payments are concerned: all forms of payment data must be protected in accordance with PCI-DSS principles.
  18. Non-compliance isn’t a big deal if you don’t have a data breach: Non-compliant companies can be subject to fines and sanctions, even in the absence of a breach.
  19. PCI-DSS is all about fraud prevention: Although fraud prevention is important, the standard is more broadly aimed at protecting cardholder data.
  20. PCI-DSS audits are unnecessary if you’re already using other security frameworks: Although other frameworks can contribute to PCI-DSS compliance, a specific audit is needed to validate compliance.

I invite you to click on “Follow” to continue learning more about the field of information security.