GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

PCI: The 'little engine that could' gains steam


Industry Update

Eureka! HMS has conference hosting down

Visa muscles to squelch risk

Interchange under attack

Visa identifies apps storing sensitive data

Restaurants most vulnerable to data breaches


Mind on the ATM money

Tracy Kitten

Industry Leader

Kim Fitzsimmons –


Payments: A very large space

Patti Murphy
The Takoma Group


Street SmartsSM:
To certify or not to certify: That is the MLS question

Dee Karawadra
Impact PaySystem

What if my ISO tanks?

Adam Atlas
Attorney at Law

Ten myths muddling PCI mastery

Ross Federgreen

Statement analysis for cave men

Jason Felts
Advanced Merchant Services Inc.

Getting wise to wireless security

Joel and Rachael Rydbeck
Nubrek Inc.

Help desk quality check

Biff Matthews
CardWare International

Company Profile

WAY Systems Inc.

Premier Payment Systems

New Products

No-brainer protection on smart cards

Smart Card Guard
National Envelope Corp.

Fort Knox for merchant data

3Delta Systems Inc.

A new Vu of IP device management

NetVu version 2.3
Precidia Technologies Inc.


What about you?



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 29, 2007  •  Issue 07:05:02

previous next

Ten myths muddling PCI mastery

By Ross Federgreen

Merchants are becoming acutely aware of the mandated requirements of the Payment Card Industry (PCI) Data Security Standard. Unfortunately, many misconceptions, or myths, are associated with this. It is important that members of the merchant services community fully understand PCI and assist their customers with the complexities of compliance.

Myth 1: I do not have to be PCI-compliant

Untrue. Every merchant who in any manner accepts, handles, stores or transmits credit card information must be compliant. This extends to all merchants regardless of their credit card environment. There are no exceptions for merchants who are in the card present environment.

Myth 2: If I have penetration scans, I am compliant

Wrong. Penetration (or vulnerability) scans represent only a fraction of PCI's requirements. While they are important, they are not all that is required. Merchants must also complete the 75 questions comprising the annual self-assessment questionnaire (SAQ).

Myth 3: To complete the SAQ, I can just answer yes to all the questions

Not true. Merchants should only answer yes if they both understand the question and possess documented evidence that the answer should be yes. Fabricating yes answers is inappropriate and opens merchants to severe penalties, including loss of credit card privileges.

Myth 4: No one will ever look at my answers to the SAQ

Untrue. PCI requirements dictate that all merchants must file SAQs with their acquirers annually. If merchants are compromised, risk rated, randomly audited or flagged for other reasons, their SAQ responses will be examined.

Myth 5: I don't need to examine my completed penetration scans

Wrong. It is vitally important to examine penetration scan results and note findings. Each abnormal finding must be addressed regardless of which of the four levels — from informational to severe — is listed. Findings in the severe category must be remediated within 30 days.

Myth 6: If my software or terminal is compliant, I am compliant

Not true. To answer SAQ questions correctly and honestly, every merchant must have written policies, procedures and auditable logs. And significant physical security requirements must be met. PCI-compliant software and terminals are critical, but they are not the entire answer.

Myth 7: A breach can't happen to me

Untrue. Security breaches happen everywhere and can happen to anyone at anytime.

Myth 8: All security breaches are caused by external sources

Wrong. Over 90% of security breaches occur because of employees or other people who have internal access to the merchant.

Myth 9: My processor is responsible for the fines, not me

Not true. Merchants are ultimately responsible for all financial penalties resulting from their PCI-compliance failures. Fines can be up to $25,000 per month per event.

Myth 10: I can complete the SAQ myself

True — but no one should. The 75 questions on the SAQ are complex. To answer them requires in-depth understanding of the meaning and intent of each question. Each merchant should obtain qualified assistance in achieving PCI compliance.

Focus on facts

All ISOs and merchant level salespeople need to fully understand PCI. And merchants need to know that they must comply with PCI: Noncompliance can lead to civil penalties, criminal prosecution and loss of credit card accepting privileges.

The payment brands have spent considerable sums attempting to educate the merchant population. A number of resources are available to assist in helping merchants achieve compliance. The Green Sheet has published many articles addressing PCI issues.

In addition, each card brand has information on its Web site defining requirements and merchant categories.

So, learn what it really takes to be PCI-compliant. This will help you maintain, retain and obtain merchant customers.

Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 23, or

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios