There is a lot of misinformation floating around out there. Whether it stems from incomplete study, abject ignorance, or even some unethical processors disseminating half-truths, lack of knowledge about the PCI DSS usually results in a weakening of your system security.
One merchant recently told me that since they don’t handle their credit card transactions in-house, but rather outsource that revenue stream through a 3rd party credit card processor, that they don’t have to worry about PCI compliance. Nothing could be further from the truth. Here’s what PCI DSS requirement 12.8.4 says about 3rd party processing:
“Given that third parties are an increasing source of breaches, active management and monitoring of third parties is appropriate an required. Organizations should implement procedures specifying: – Who has the authority to approve third party agreements were cardholder data is being transmitted, processed, or stored by the third party. – What due diligence must be performed prior to service initiation (e.g. risk assessment form, on-site assessment, validation of PCI DSS compliance, etc) – How often third parties will be reviewed and what level of review to conduct.”
I’ve heard other merchants say that they’ve purchased a service or product that will instantly render their whole business PCI compliant. Unfortunately, there is no single product or service that, once installed, automatically resolves all of your PCI compliance issues in one fell swoop. The industry does however strive to make becoming PCI compliant as easy as possible. For years all new equipment and all software updates have been automatically PCI compliant. There is very old equipment out there that was designed decades before PCI compliance was dreamt of, but since these units have upgradable “eprom” (erasable programmable read only memory), PCI compliant software has been written for most of these. This is why the majority of merchants processing electronically were not required to upgrade their equipment, only to download new PCI compliant software.
It would be false to say that the industry mandate of PCI compliance has not been both time consuming and costly for processors and merchants to implement. But seeing as how its purpose is ultimately the prevention of lost time and revenue due to fraud, it is an enhancement to a system that requires high security. After all, it ultimately is our money we’re talking about here. Nonetheless many processors have used the new requirement as an opportunity to tack on additional fees. Reports show some processors have added over $300 in annual hidden fees! This site can show you how to get PCI compliant for free!