PCI Free Blog

More PCI DSS Myths Dispelled

One of the major complaints often heard with regard to the PCI DSS and becoming PCI compliant is that it’s simply too esoteric to understand and too complex to implement.  I’ve even heard merchants bitterly complain that they’ll have to hire a computer specialist or IT professional just to achieve their PCI compliance.  While no one I’ve spoken to in the industry, including highly experienced and seasoned professionals doesn’t find the PCI DSS a bit technical, it just appears to be so.  Once you read the PCI DSS guidelines carefully (you should read it carefully at least once) you’ll find that it’s asking you about pretty general stuff that you probably do out of common sense already. 

For instance if you have a stand alone dial up electronic terminal that does not store credit card numbers or other authentication date, like the majority of small business merchants, you will be doing SAQ type B.  Requirement 3.2 asks if all systems (that process sensitive authentication data) adhere to the PCI DSS storage requirements.  These requirements are found in requirement 3.2.1 – Do not store the full contents of any track of the magnetic stripe that is on the back of a card, in a chip or elsewhere.  This data is alternatively called full track, track 1, track 2 and magnetic stripe data. 

Now even if you don’t know what a “track” is or whether the cards you accept also have a chip in them, you can still answer yes or no as to whether you store this information.  The only way to do so is to have a “skimmer.”  A skimmer is one of the devices thieves use to steal credit card information.  A dishonest cashier will keep a skimmer under his or her register and quickly swipe the card presented for payment during the course of the transaction.  Later they can hook the skimmer to a PC and download full mag stripe information.  So unless you have a skimmer or some other method of retaining the magnetized information, the answer is YES, you comply with this requirement. 

Think of the fact that the PCI DSS, thought hard to understand at times, is not your enemy but your friend.  Becoming PCI compliant and maintaining your PCI compliance serves to protect not only your business and your customer, but the businesses and customers of the entire payment system.  The more merchants that are PCI compliant, the stronger the integrity of the electronic payments system overall for merchants and consumers.  Refer to this site for more information and learn how to become PCI compliant for free.

This entry was posted in PCI Compliance, Point-Of-Sale Equipment, Sensitive Data Storage. Bookmark the permalink.

Leave a Reply