There is a lot being said about PCI DSS in the payment industry today, and there is a clear lack of clarity in what is being said. Of course, there is no denying that it is not the most popular choice amongst Indian organisations today, but why is this so? Figuratively speaking, India has over 20 years of expertise in electronic payments extensively in the B2B & B2C industries. Moreover, Indian firms have always pushed for the highest level of compliance in this sector. The basis of the unpopularity in fact lies in a few PCI DSS certification myths or misconceptions.
Misconceptions #1: Should I Even be Bothered About It?
If you are in charge of an entity that either –
- Stores or
payment card data, it is mandatory for you to comply with PCI DSS. This is a compliance that has to be met, however it does not mean that your company must have a PCI DSS certification. The compliance needs to be adhered to by either your entity, or an external agency or party that is certified.
Misconceptions #2: So, I Process Payments, but in Small Amounts – Should I be Bothered About It?
There are no loop holes, even if you have a single swipe in the whole year, it is mandatory that you comply with PCI DSS. No two ways about it.
Misconceptions #3: Who is Accountable for the Compliance?
The entire payment industry drives the PCI DSS certification and that includes the likes of VISA, MasterCard and others. Many organisations are not aware of the party that needs to take the compliance – obviously believing that it belongs to the other half. The fact is that, the banks (issuers or acquirers) have it in their mandate to ensure that their merchants are following the compliance. Not just that, they also have to ensure that the POS terminal is safe and provided by them. In other words, in case of a fraud – they’re held accountable.
Misconceptions #4: Should it be Taken Seriously?
Many ignore the need to follow the compliance – blame it on the lack of awareness or sheer ignorance. It is an absolute mandate and is a must if you are in the payments industry; even if you are an e-commerce company that transmits or stores card-holder data.
Misconception #5: Isn’t it Very Expensive & be a Burden to My Firm?
Many of us tend to let go of the most basic pre-requisites of our business because of the fear of losing capital. Fact be told, PCI DSS is one of the most important standards technically and holds no scope of not having it followed. It is quite straight forward to follow and there are several strict mandates such as application security and data encryption that gets people to look the other way. The obvious fear sets in – ‘Can we really do this?’. The obvious point being missed is that you can easily cover this cost with the help of a qualified security assessor. This would not necessarily be expensive with the technology and options that are present in the market.
Misconception #6: Never Had Fraud – Why Bother for a PCI DSS Certification?
This seems so common, isn’t it? Lightening never strikes once or twice or ever at all we believe. It is only natural for any business to expect an ROI and that pushes us to avoid a necessity. There are two main reasons you would opt for this certification – ensuring that you match the needed regulatory requirements and also to ensure you are completely covered against any frauds. The security requirements are a must and even thought it may come across as a technical standard – you get the necessary security.
Misconception #7: Can it be a Temporary Solution?
Quite simply, a certification of this sort is a both a short and long term advantage. You would be insuring the security of your business as well as encouraging the growth of further business.
Irrespective of the misconceptions that are present, we tend to forget the advantages that are at hand when you have compliance like this implemented in your business. Not only would you be able to protect your business but have a massive security assurance and insurance to your firm. This extra bit of security is so important if you are looking at acquiring projects from foreign countries. For example, overseas companies insist on PCI DSS certification as an essential requirement before signing up with a partner. This is just one example amongst many.
Such a certification brings a strong level of efficiency to the business since it is insured and built around a continuous process. Each quarter, your company would have to look at the new risks and deal with countering them.