House of the Dragon: Optimizing Search Results for an Article Actually About PCI-DSS Myths

By Jon Clark
July 28, 2022

Is it actually clickbait if I disclose I used clickbait in the first sentence? While some might say yes, I would argue that my readers are discerning enough to see through the ruse. Can you fault me for trying to learn the rules and ensure that I am not only in compliance with them, but also using them to my advantage? I’m just looking for a little lift with search engine optimization. Speaking of taking such an approach, let’s turn to the real topic at hand: PCI-DSS Myths.

What is PCI-DSS?

PCI-DSS stands for Payment Card Industry-Data Security Standard. It is a standard aimed at protecting cardholder data processed, transferred, or stored by any entity or individual that takes payment cards. Thinking back on my time working for a single corporation prior to returning to contracting, I can sum up my prior thoughts regarding PCI compliance very simply: “Whatever we do, let’s not take credit cards so we don’t have to deal with PCI-DSS.”

I allowed what I didn’t know to dictate my decisions then, without making time to learn more, but now I’m diving in and I hope to share what I learn as I go—like the following myths surrounding PCI-DSS.

Myth 1: Our transactions are too few or too small for PCI-DSS

Reality: PCI-DSS is a contractual agreement between a merchant, card brands, and the banks handling the payment processing. Understanding that PCI-DSS is a contractual standard, not a government regulatory one, is the best place to begin to understand why PCI compliance will benefit your company even if you only have a few transactions a year, or a very low dollar total in transactions. Very often before government regulation kicks in, there needs to be a threshold reached, but there are no minimum thresholds with PCI.

Myth 2: Since we outsource our card payment processing, we have no need to concern ourselves with PCI-DSS.

Reality: While much of the burden will be on the outside vendor to ensure many of the technical controls are in place, there are still responsibilities that remain with you, the merchant. For example:

  • You must still ensure the website that passes through those transactions to the 3rd party is securely operated.
  • Data must be exchanged securely, either on a private network, or via encryption if using a public network.
  • You are also responsible for ensuring the third party you outsource to is in compliance with PCI-DSS. If they aren’t doing their job, those repercussions could fall back on you.

Myth 3: PCI-DSS is too complicated and requires a full-time role that we don't have the resources for.

Reality: The bulk of the requirements of PCI-DSS are likely to already be in place in an organization with a healthy information security program. Some of the specific governance controls regarding policies might be lacking, but even those should be addressed by a mature information security program. If you don't have the resources to onboard a full-time executive, Parameter can assist you in achieving a strong InfoSec program with advisory services on a fractional basis.

Myth 4: If we comply with PCI-DSS, we have done all we need to protect the organization.

Reality: PCI-DSS primarily deals with securing cardholder data, not the entire environment. Additionally, a PCI-DSS certification is a snapshot of a specific point in time. A healthy information security program will have many more controls in place and enforce constant vigilance over the entire environment.

How to Determine Your PCI-DSS Needs

PCI-DSS is undeniably complex, and is ever changing—especially with the release of v4.0—and I have the utmost respect for organizations working to ensure their customers and their data are protected. While I am certain there are myriad misconceptions not mentioned here, these are a few of the myths most commonly encountered by myself and my colleagues. The good news is, even though it would be impossible to address every misbelief about PCI in a single article, odds are they will be easily answered by an overall information security program that is at a healthy maturity level. One of the best ways to ascertain where your security program lies on the InfoSec spectrum is to compare it against a standard framework such as NIST, ISO27002, or other equivalent.

In part, this is the opportunity I touched on earlier: Since you might find yourself needing to pursue PCI-DSS certification, look beyond the minimum requirements of certification, and conduct an overall evaluation of your information security program. If conducting such an assessment is beyond your in-house expertise, let's talk about how Parameter Security can assist you in assessing and architecting your program.

Assessing Your Information Security Program

The most fulfilling part of my role at Parameter is connecting with clients, assisting them in digging into their current security program, and subsequently developing and executing a plan to get them to where they want to be.

So many organizations we work with find themselves at the end of a history of purchasing technology they hoped would make them more secure, or possibly pursuing certifications they thought would do the trick. In the end, they have an appearance of being secure, but their true state of security is unimproved from where they started. Parameter Security works with clients from around the world to implement standards and protocols that actually protect companies’ clients and data.

So what does all this have to do with House of the Dragon? Well, much like House of the Dragon is a follow up to Game of Thrones, PCI-DSS has a sequel in the works, too. The PCI-DSS v4.0 standard has arrived, and mandatory compliance is coming sooner than many realize. While it may clarify some of the issues folks find frustrating currently, it may also open a new can of worms. Reach out via the form below with any questions about coming PCI compliance changes or how Parameter Security can help you to manage your PCI compliance requirements.

JON CLARK
CISSP, GSTRT, CISA, GPEN, PCI-DSS QSA, PCIP
Chief Information Security Officer & Director of Advisory Services

Jon has been providing guidance in information security and technology risk for the last 24 years. His background includes serving as head of the information security program for a $2B financial institution, SVP of enterprise risk, and as CIO.

Once a university adjust professor, Jon has the heart of a teacher and ensures his clients understand the ‘what’ and ‘why’ of solutions as he guides them through the establishment and maintenance of their information security programs.

Jon earned a Masters’ degree in Computer Information Resource Management and has served in the United States Marine Corps. In his free time, Jon enjoys time with his wife and three ever-growing children, playing guitar and bass, and reading non-fiction. A favorite quote of his is from Charlie “Tremendous” Jones: “You are the same today as you’ll be in five years expect two things: the books you read and the people you meet.”

Leverage Our InfoSec Expertise
Our Team + Your Team = Stronger Security Program