Top 10 PCI Myths

Myth #1

Filling out the required Self-Assessment Questionnaire and conducting quarterly network scans will be adequate to avoid security data breaches.

This constitutes a good start, but detecting exposed internal IT areas or even discovering a data security breach is a far cry from being proactive and following a plan of action to avoid becoming the victim of a hacker.


Myth #2

Hackers are not targeting small merchants; they prefer to focus on large companies.

Although there have been widely reported security breaches of large companies and chains, the predominant number of security breaches occur with Level Four merchants who do not process more than a million credit card transactions per year.


Myth #3

Merchants who do not use a POS terminal and instead handle credit card transactions manually or by an alternative method are not subject to PCI-DSS.

The only way a merchant can truly be exempt from PCI-DSS is to not accept credit cards from customers.


Myth #4

A merchant cannot be forced to bring in a forensic auditor when the card processor suspects a security breach.

The standard card processing firm’s merchant agreement requires that merchants undergo a forensic audit when they have reason to believe that a breach may have occurred. In addition, the merchant is compelled to pay for the audit and select from a small list of auditors who have been preapproved by the PCI Security Council.


Myth #5

A merchant’s card processor cannot lawfully withhold a merchant’s accounts receivables should it experience a data security breach.

The standard card processor agreement does, in fact, give the card processor the contractual right to withhold a substantial amount (sometimes upwards of six figures) in order to ensure that the merchant will pay future fines and assessments.


Myth #6

There is nothing to worry about in using an older POS software system that has been PCI validated.

A lot of times it may appear that a merchant has gotten a good deal in terms of buying or taking over an older, or “legacy”, POS software system. The problem is that older systems (even those that had originally been PCI validated) may not be in compliance with the latest PCI-DSS regulations. Merchants need to make sure that they have received whatever security patches that have been required and that these software systems have not fallen out of compliance.


Myth #7

Once a firewall has been installed, a merchant does not have to worry about it doing its job.

There have been some major PCI-related data security breaches that arose from merchants not realizing that laying new DSL lines or going wireless have inadvertently reconfigured or compromised the effectiveness of their firewall.


Myth #8

There is nothing that the merchant can do to challenge a fine or penalty assessed by the merchant’s credit card company.

First of all, credit card companies do not directly fine or penalize merchants. Instead, they have the contractual right to penalize the acquiring bank/card processor. The card company fine is then passed on to the merchant by the acquiring bank/card processor. Typical merchant card processing agreements provide for an arbitration process in one particular venue should a merchant wish to challenge the penalty imposed. Most often, the venue for arbitration is in another city or state and there may be disincentives for the merchant to go through this process.


Myth #9

Once a merchant has been breached and is fined and penalized by the acquiring bank/card processor, there will not be any additional bank-related claims to worry about.

It may take as long as 18 months from the breach to receive the last of the fines as well as credit card chargebacks associated with the damages caused by the hacker. The merchant may also be obligated to pay a hefty amount to reimburse the costs for the banks to reissue credit cards to the merchant’s customers.


Myth #10

Merchants are not obligated to publicize the fact that they have been the victims of the breach.

Most states have laws that require merchants to contact their customers to inform them that their credit card information may have been subject to a data breach.