Business Login
Back
What We Do

Go beyond basic processing with a full payments experience management platform.

Our Technology

Purpose built to solve today's payment challenges and scale for tomorrow's opportunities.
Bill Pay

The modern and reliable bill pay platform that lets customers pay how, when and where they choose.
MoneyLine

MoneyLine makes deposits, payouts and engagement easy—all in a single, powerful platform.
Back
Who We Work With

Trusted by industry leaders to deliver exceptional payment experiences.

Learn More
Back
Resources

Learn more about payments best practices and download helpful resources.

Learn More
Back
About

PayNearMe builds technology that leads to better payment outcomes for businesses and their customers.

Learn More

Reminder: Compliance Does Not Equal Security

Articles
May 28, 2019
Share:
Reminder: Compliance Does Not Equal Security

This article was originally posted on the AFSA Blog.

When two things are closely related, we tend to trick ourselves into thinking the two are interchangeable. Wash your hands and you won’t get sick. Smile often and people will like you. Pass your PCI Compliance audit and your customers’ data is safe.

correlation is not causation
Source: https://xkcd.com/552/

This common fallacy is formally known as “cum hoc ergo propter hoc”, but you’re likely more familiar with its English counterpart: Correlation doesn’t imply causation. In some cases, it’s painfully obvious when this is at play, like how the declining divorce rate in Maine has a 99.6% correlation with the decline in consumption of margarine (we finally believe it’s not butter!)

pci compliance is not security
Source: https://tylervigen.com/spurious-correlations

Other times, the relationship between two concepts is so intertwined that we struggle to identify the fallacy. For businesses who collect card payments from customers, there is significant danger in assuming that PCI compliance and data security share a causal relationship.

Finding the Gaps

While we won’t get too deep into the gaps between data security and PCI-DSS compliance (two extremely complex and nuanced topics), it’s important to examine a few of the areas where the two diverge.

Compliance Addresses Risks, Not Threats

Those familiar with PCI-DSS know that compliance is split into different levels based roughly on the number of card transactions you process. Level 1 businesses, who process more than 6 million card transactions annually, have much more rigorous requirements to adhere to than their Level 4 counterparts, who handle a significantly lower number of transactions.

PCI Compliance Levels
Source: https://www.bigcommerce.com/blog/pci-compliance/#ecommerce-pci-compliance-requirements

But do security threats subdue themselves when dealing with smaller merchants? No. The same threats that can be difficult for an L1 to fend off may be exponentially more difficult for a L3 or L4 merchant to handle. The big bad wolf will blow just as hard, regardless of whether your house is made of brick or straw, and the fines can be equally high for merchants in any tier.

Compliance Can’t Cover Everything

In a recent webinar with PayNearMe and AFSA, we shared three examples of organizations that were PCI compliant but still suffered massive data breaches. The reasons may surprise you, but they can happen to any business.

  • Vendors: Are all of your vendors practicing data security best practices? What about their vendors? Are they even PCI-DSS compliant?
  • Technology: Does your technology put you at risk for a breach? Are there backdoors between internal systems that could cause issues?
  • Employees: Are there mechanisms in place to ensure your employees don’t abuse or misuse customer data?

This list is far from comprehensive, but illustrates an important consideration for your team: being 100% compliant does not necessarily make you secure.

Compliance Isn’t Realtime

While compliance standards are changing all the time, they don’t adapt in real time. Looking at the current PCI-DSS standards, this becomes clear. Many of the standards are months or even years old – and for good reason. Compliance standards must balance constant evolution with fixed intervals to ensure organizations actually know what to adhere to.

Large organizations, especially Level 1 & 2, go through rigorous audits and large scale process reviews to meet PCI compliance standards. It would be nearly impossible to change standards without ample time for organizations to adapt.

Data security must be more proactive (and reactive) to real-time threats in the environment. If a vicious piece of malware or a third party software exploit is making its way through the web, companies cannot afford to wait for a new standard.

Again, compliance does not equal security.

Don’t Lose Sight of What’s Important

It’s worth circling back to reiterate a critical point: compliance is still extremely important. It provides a measuring stick for how well you are doing in critical security areas, identified by some of the most influential leaders in card processing and infosec.

As a business, you should look at proper PCI compliance as one path to the end goal of data security, but not the only one. Security is a strategy, an ongoing framework to protect customer data. Compliance is a thoughtful standard to guide you there.

Forever linked, but not the same.

Research: Consumer Trends Driving the Future of Loan Payments

Related Posts

Common Payment Fraud in iGaming (and How to Prevent It)

Articles
April 1, 2024
Read Article

How iGaming Operators Can Help Cut Downtime (and Costs) with Redundancy

Articles
March 22, 2024
Read Article
See More