Common Misconceptions with Payment Card Information
PCI-DSS has great requirements to help raise the bar for those entities collecting credit cardholder data. PCI-DSS includes great items people need to meet such as maintaining hardened firewall and router configuration, deny traffic by default, change vendor default passwords, limit data retention to only as long as necessary, and use strong cryptographic algorithms. These safeguards help to protect this sensitive financial data.
Still, misconceptions about PCI-DSS persist. When I am helping organizations complete cyber insurance applications, this is constantly something I am having to review and revisit with organizations. Many people think they have no liability for the payment information they are collecting just because they are using a third party provider. When they report the PCI records they are collecting and storing for their organization, many organizations will respond 0 to this question. This is not true in the eyes of the law. The person initiating the transaction is still going to have liability for that data regardless of what third party they are storing it with. The customer was entrusting the sensitive data with the organization, not the third party they did not know existed.
Organizations might not realize there are some obligations they have to meet regarding PCI-DSS compliance beyond what their third party is doing. This may make compliance easier, but there are often additional steps an organization needs to make in order to be compliant. It is important to understand your roles as an organization and your payment processor’s role in PCI-DSS compliance as well as protection of credit cardholder data.
It’s important to take a second look at how you are handling data regarding payment for your services, regardless of if you are using a third party payment processor. This can not only help you avoid fines and penalties, but also help protect trust in your brand. Not to mention, it’s also how you can do your part in protecting the hard earned money of others.
