What If I … ?

Go out to the SPSP Forum on any given day and you will see postings such as:

“If I implement XYZ Solutions’ credit card processing widget, do I still have to go through the PCI DSS process?”

“If I use Blah-Blah’s POS that is PA-DSS certified solution I’m automatically PCI compliant, right?”

Many organizations are expending tremendous amounts of effort trying to do or use something to avoid going through the PCI compliance process.  If only this effort was focused on being PCI compliant, these organizations would likely be PCI compliant.  Well, guess what people?  There is no way to avoid going through the PCI compliance process.  Oh, come on, there has to be a loophole?  Nope.  Nada.

When your organization signed its merchant agreement to accept credit cards for payment of goods and services, your organization agreed to be PCI compliant.  Moreover, being PCI compliant means that your organization must annually evaluate itself against the relevant PCI standard and then file a report to their acquiring bank stating that the organization is either compliant or non-compliant.

However, these efforts to get out of having to comply with PCI are not totally for naught.  Many organizations have done good work figuring out how to avoid storing cardholder data.  But, if you are a traditional brick and mortar merchant, your employees’ come in contact with credit cards every day and those contacts are still covered by the PCI DSS regardless of how they are processed by POS.  And for you e-Commerce folks.  You are not totally out of the woods either.  While you may use PayPal or some other third party to process your card transactions, I will guaranty you that there is someone in your accounting department that deals with disputes and chargebacks that are covered under the PCI standards.

While there are ways to reduce the amount of effort to get your organization PCI compliant, there is no way to avoid going through the process if your organization allows credit cards to be used for payment.  So, all of you folks trying to beat the system.  Either only accept cash and checks for payment or put your efforts toward being compliant and get over it.


0 Responses to “What If I … ?”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


March 2009
« Feb   Apr »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: