PCI Compliance: The biggest myths

29 Sep 2022

Tony Dormer Chairman

Online retail has dramatically changed the way consumers shop. In 2020, the number of products bought online increased by 25.7%, according to Forrester. The global industry is now valued at $4.2 trillion, with sales projected to climb a further 16.8% by end of 2021.

But the growth of eCommerce has also led to an increase in cyber crime.

Data from the Australian Payments Network revealed that incidents involving card fraud cost the industry $447.2 million in the 2019-2020 financial year. The bulk of card fraud (87.7%) occurred through card-not-present (CNP) systems in online and mobile platforms.

The security of cardholder data affects everyone

eCommerce security threats can affect the entire payment card ecosystem.

Customers impacted by card fraud can incur serious damages to their credit, creating enormous personal fallout. This can lead to a loss of trust in brands, merchants, and financial institutions.

For eCommerce businesses, compromised cardholder security can lead to a loss of credibility, a slump in sales, as well as numerous financial liabilities.

To improve global payment account data security and diminish the risk of eCommerce security threats, industry standards have been established to drive education, awareness, and ensure effective implementation.

What are the PCI Data Security Standards?

In 2006, the five major credit card brands (American Express, Discover, MasterCard, Visa, and JCB International) formed the PCI Security Standards Council – an organisation dedicated to promoting awareness of and adherence to payment security standards.

In pursuit of that goal, the PCI Security Standards Council created the PCI Data Security Standard (PCI DSS) – a set of rules and standards for businesses that ensure customer credit card information is being safely stored.

The PCI Security Standards seek to protect businesses and encourage consumer confidence. For hundreds of millions of people worldwide that use their cards every day, these standards help guarantee healthy, secure, and trustworthy payment card transactions.

Who do PCI standards apply to?

Any business that transmits, stores, handles, or accepts credit card data – regardless of size or processing volume – must comply with the PCI DSS. The level of compliance will depend on your business situation.

What are the 12 key requirements of the standards?

To comply with the PCI DSS, businesses must follow 6 goals with 12 requirements:

Build and maintain a secure network

  • Use a firewall on your network and all PCs to protect cardholder data.
  • Change default passwords on hardware and software. Make sure you choose secure passwords for all of your business systems.

    Protect cardholder data

    • Protect any cardholder data you store.
    • Encrypt cardholder data if it’s being transmitted across open, public networks.

      Maintain a vulnerability management program

      • Use and regularly update software, including your anti-virus software.
      • Develop and maintain secure systems and applications.

        Implement strong access control measures

        • Only allow access to cardholder data when it’s required.
        • Assign employees their own unique login (user name and password) for computer systems.
        • Restrict physical access to cardholder data. Do not store any sensitive cardholder data on your computer or on paper.

          Regularly monitor and test networks

          • Track and monitor all access to your network resources and cardholder data.
          • Regularly test security systems and processes.

          Maintain an information security policy

          • Maintain a policy for your employees that addresses information security for IT and payment systems.

          These 12 standards must be continually met and reported to ensure compliance.

          Common misconceptions of PCI Compliance

          Myth 1 – One vendor and eCommerce platform will make us compliant

          Platforms such as Salesforce Commerce Cloud come with an array of industry security standards such as PCI-DSS and Single Sign-On (SSO).

          However, no single vendor or product fully addresses all 12 requirements of PCI DSS. 

          Instead of relying on a single product or vendor, brands need to implement a holistic security strategy that focuses on a secure 360 view that meets the PCI DSS requirements. Businesses need to ensure they are completely compliant not just partially.

          Myth 2 – Outsourcing card processing makes us compliant

          Outsourcing simplifies payment card processing but does not provide automatic compliance.

          Brands need to ensure they address policies and procedures for cardholder transactions and data processing. A business must protect cardholder data when they receive it and process all chargebacks and refunds. Providers’ applications and card payment terminals must also comply with respective PCI standards and should not store sensitive cardholder data.

          It is a brand’s responsibility to ensure that all third parties are PCI DSS compliant when handling cloud storage, and processing or transmitting cardholder data. A certificate of compliance can be requested annually from providers.

          Brands must maintain and implement policies and procedures to manage service providers with whom cardholder data is shared and ensure the eCommerce security of the cardholder data. 

          What happens if you are not PCI compliant?

          If cardholder data is compromised and eCommerce security is found to be non-compliant or without a certified assessment brands can face significant PCI compliance penalties. The flow-on effects of non-compliance can include a reduction in revenue, deteriorating financial health, and reputational damage.

          Beyond fines, a breach of the regulations can also lead to the suspension of a business’s credit card acceptance along with mandatory forensic examinations.

          Simplify PCI DSS with expert advice

          While it’s not always easy to understand, every Australian business which deals with cardholder data needs to be PCI DSS compliant. The risks and costs of a mistake far outweigh the resources required for compliance.

          The best way to avoid any missteps and subsequent PCI penalties is to work with a PCI DSS consultant, who can help your organisation understand its obligations and assist with compliance.

          Accel has extensive experience partnering with clients to achieve PCI DSS compliance. Our consultants can help ensure PCI compliance across your entire digital ecosystem, empowering you to easily detect, prevent and remediate data breaches. Our services include the development of PCI-DSS frameworks, processes, and systems.

          Secure acceleration starts here

          Get the crucial advice your business needs to adopt leading cloud security solutions by partnering with Accel.

          In the complex, ever-evolving cyber landscape, our services work to protect your business. We design and build highly secure eCommerce and website experiences – making the online marketplace a safer place for businesses and customers alike.

          For more information about security services, contact us.

          Our Capabilities

          Our advanced cybersecurity knowledge and industry expertise empower online businesses with greater security.

          Security Services

          We use deep cyber expertise to provide the crucial advice and support you need to transform your security posture.


          eCommerce platforms created by Accel allow businesses to guarantee their customers a secure shopping experience, every time.

          Managed Services

          Accel handles your day-to-day online security needs to keep your business innovative and safe in today’s ever-shifting landscape.

          Ready to accelerate? Let’s go.

          Request a call back