The 2 Most Common PCI Compliance Myths

PCI compliance, for those who might not be familiar, is the set of regulations and rules all business must follow if they deal in credit card transactions. These policies are set to ensure the safety and security of information for your business and its customers. That being said, these rules can often result in headaches and mounting costs for business owners who often don’t have the experience to execute them properly. That’s why the IT consulting team at Savvior’s Pittsburgh office has decided to set out to break apart the fact from fiction in PCI compliance. After reading, you’ll have a better understanding of what makes your business PCI compliant and what leaves you open to potentially costly risks.

Myth: If I use authorize.net I am PCI compliant

Authorize.net logo

Screen capture taken from Authorize.net

Whether you are using authorize.net or any other payment gateway the IT consulting experts at Savvior’s Pittsburgh office are here to warn: you still have a PCI requirement if your server passes credit card information through ram memory. In layman’s terms: if you’re hands touch the information, the IT consulting experts at Savvior’s Pittsburgh office say the responsibility is in your hands. Some integration methods for credit cards have the user fill out the credit card information and this is then passed off to the server — which in turn — sends it to your credit card gateway.

You might be tempted to think, "If I don't store credit card information I am automatically PCI compliant.” Sadly, this is not the case.

Even if you simply hand off the credit card information you have a compliance requirement. Remember, if at any point a customer’s credit card information is held by your servers, it’s your responsibility to meet PCI compliance.

So what can a business do to avoid the hassles of PCI compliance? The IT consulting experts at Pittsburgh’s Savvior recommend choosing an integration method where the credit card information is passed directly to the gateway and does not pass through the server. For example, with authorize.net this would be the Direct Post Method or Customer Information Manager. There are also other services you can utilize such as stripe.com that use JavaScript to pass the information directly to the gateway so that you won't have to worry about a compliance requirement.

The IT consulting team in Pittsburgh at Savvior can help you choose the most appropriate payment service and integration method to meet or bypass PCI compliance requirements

Myth: If my software is certified PCI compliant then we are compliant

does not equal symbol

Again, the IT consulting team at Pittsburgh’s Savvior warn against this notion. There are 12 separate criteria for meeting PCI compliance and your software is only part of that equation. You need to be 100% PCI compliant with all 12 criteria to have PCI compliance. This includes the physical security, network layout, and other factors. The only case in which only having a compliant host resulted in full PCI compliance our IT consulting team in Pittsburgh could think of would be if a small business only handled online card transactions— no in-person whatsoever. A better strategy is to choose a credit card integration method that does not pass credit card information through ram memory as explained above. This way, regardless of how your business decides to do business, you’ll always be covered because you took the right steps toward PCI compliance.

The Bottom Line

stressed out office lego

Adhering to PCI compliance requirements is a costly endeavour. It involves meeting 12 seperate requirements with many sub-requirements any of which can result in exorbitant costs and headaches for your business. Depending on your transaction volume you may have to hire a QSA (Qualified Security Assessor) to run annual scans, and purchasing more expensive hosting. If something does end up going wrong you will be liable for the penalties under the law for non-compliance. The point our IT consulting team in Pittsburgh wants to drive home is that PCI compliance is serious. Your business needs to take the proper steps in the proper way so that, down the road, you can rest easy knowing you did what you needed to and your business is safer and stronger because of it.

So What Are My Options?

teamwork

For 99% of Savvior’s clients, our IT consulting team in Pittsburgh report it makes more sense to choose a credit card integration method that does not involve the server passing credit card information through ram memory. Savvior’s IT consulting experts in Pittsburgh can work with you to find the right host options that keep the onus of responsibility out of your hands. If sensitive cardholder information is not stored and does not pass through ram memory on your server then you will not be required to be PCI compliant.

Savvior provides both PCI compliant web hosting, and has worked with QSA teams in the past to certify web solutions as being PCI compliant and we can walk you through the various options you will need to gain compliance. If you are doing eCommerce it's a good idea to go through the process even if you don't have a compliance requirement as a matter of best practices, so you don’t have to worry should questions arise later.

For the other 1%, our IT consulting experts are ready and willing to find the correct solution for your business requirements. Our decades of experience make our IT consulting team in Pittsburgh the best options for finding and executing the right PCI compliance plans for you and your business. Let our expertise do the work for you so you know it’s done right.