Archive for March 21st, 2009


What If I … ?

Go out to the SPSP Forum on any given day and you will see postings such as:

“If I implement XYZ Solutions’ credit card processing widget, do I still have to go through the PCI DSS process?”

“If I use Blah-Blah’s POS that is PA-DSS certified solution I’m automatically PCI compliant, right?”

Many organizations are expending tremendous amounts of effort trying to do or use something to avoid going through the PCI compliance process.  If only this effort was focused on being PCI compliant, these organizations would likely be PCI compliant.  Well, guess what people?  There is no way to avoid going through the PCI compliance process.  Oh, come on, there has to be a loophole?  Nope.  Nada.

When your organization signed its merchant agreement to accept credit cards for payment of goods and services, your organization agreed to be PCI compliant.  Moreover, being PCI compliant means that your organization must annually evaluate itself against the relevant PCI standard and then file a report to their acquiring bank stating that the organization is either compliant or non-compliant.

However, these efforts to get out of having to comply with PCI are not totally for naught.  Many organizations have done good work figuring out how to avoid storing cardholder data.  But, if you are a traditional brick and mortar merchant, your employees’ come in contact with credit cards every day and those contacts are still covered by the PCI DSS regardless of how they are processed by POS.  And for you e-Commerce folks.  You are not totally out of the woods either.  While you may use PayPal or some other third party to process your card transactions, I will guaranty you that there is someone in your accounting department that deals with disputes and chargebacks that are covered under the PCI standards.

While there are ways to reduce the amount of effort to get your organization PCI compliant, there is no way to avoid going through the process if your organization allows credit cards to be used for payment.  So, all of you folks trying to beat the system.  Either only accept cash and checks for payment or put your efforts toward being compliant and get over it.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2009