Why PCI Compliance is Not a Guarantee of Security

By now, every merchant that accepts credit and debit cards knows (or should know) about the Payment Card Industry Data Security Standard (PCI DSS). It is an industry information security standard created by the leading card brands to increase protection of cardholder data and reduce fraud. All merchants – even small ones – are required to comply or risk losing the ability to accept many brands of payment cards.

Your own business has probably undergone, at minimum, a PCI self-assessment via questionnaire or perhaps even an audit conducted by a qualified security assessor. Passing an assessment or audit validates that your business is following industry best practices to protect against a data breach. However, achieving PCI DSS compliance is not a guarantee that your shop will be immune to a breach – especially as threats grow ever more sophisticated. Many retailers that have validated PCI compliance have still suffered a data breach.

If PCI compliance is not a guarantee of payment data security, why make the effort and incur the expense? First, non-compliance is not an option if you want to continue to accept the major brands of credit and debit cards for your customers’ convenience. More importantly, adherence to the recommended security guidelines is an ongoing process designed to minimize your risk of a data breach. As the forms of data compromise become ever more sophisticated, it becomes more difficult for an individual merchant to stay ahead of the vast array of threats. The PCI DSS continues to evolve to guide retailers in putting in place the most appropriate measures to protect their businesses against the evolving threat landscape.