To relieve merchants of false information or myths about PCI Compliance, we have put together a list of the most common misconceptions of PCI and their truths. It is critical that all merchants storing cardholder data know and understand the PCI and the risks involved if they are not compliant.

Myth #1: PCI does not apply to me, since I only accept a few cards.
Reality: PCI compliance is required for any merchant that accepts payment cards, even if the quantity is just one.

Myth #2: PCI is an annual event; once I complete the SAQ, I’m done for the year.
Reality: Demonstrating PCI via the SAQ may be an annual event, but merchants must ensure they are maintaining compliance 365 days per year.

Myth #3: I’m using a compliant payment application, therefore I’m PCI compliant.
Reality: Using a certified payment application will help facilitate PCI compliance, but does not make you compliant in and of itself.

Myth #4: We outsource card processing, so we don’t need to comply with PCI.
Reality: A merchant is accountable and is still required to ensure that any third party processor is also PCI compliant. Physical and Information Security Policies still apply.

Myth #5: I’m a mom and pop store, so hackers won’t attack me.
Reality: According to Visa, over 85% of compromised events occur within the small merchant space (Level 4).

Myth #6: I completed my PCI validation, so I can’t get breached.
Reality:While achieving PCI compliance is a critical step in reducing the likelihood of suffering a breach, it is only a periodic measurement and not a guarantee. Constant vigilance is vital!