By now, most of us have heard the terms PCI compliance, PCI DSS, or Payment Card Industry Compliance Data Security Standards. If you need a refresher before we dive in, review some quick PCI DSS facts. These terms have been flying around for quite some time and merchants have been complying, or attempting to comply, for years. If merchants are complying it begs the question, why do we still see data breaches? The PCI standard was created to build a baseline of security functions to protect card holder data, and it does just that. The standard is a great baseline for a security posture, but in no means does it end with a PCI self-assessment questionnaire (SAQ).
With the development of new payment technologies like more advanced point-of-sale (POS) terminals, we see the overall scope of PCI compliance diminishing. Less credit card data in scope means less risk. However, this line of thinking is a bit misleading because it can give the merchant a false sense of security.