Blog - Virid: People-Powered eCommerce

5 Myths of Payment Security

Securing payment data is vital for protecting your customers and your business. Unfortunately, there are many misconceptions about payment security goals, the most effective strategies, and even the types of organizations that are most at risk.

Let’s examine—and debunk—some of the most common payment security myths.

Myth 1:

The end goal of payment security efforts is PCI DSS certification.

Wrong. The end goals should be to secure data, protect your brand, and instill customer confidence so you continue to make money.

Working toward Payment Card Industry Data Security Standard (PCI DSS) certification—which proves you are compliant—can be a worthwhile endeavor. But you can’t stop there.

Lost business—not fines or administrative costs—accounts for the greatest financial consequence of a data breach.1 Approximately 33 percent of affected consumers avoid doing business with a retailer after a breach.2 And those are just the ones who are affected. There are also customers who will not do business with a company due to the perceived risk.3

Your payment security efforts should focus not only on achieving point-in-time certification but also on maintaining the long-term viability of your business.

Myth 2:

PCI DSS certification ensures payment security.

PCI DSS certification can reinforce a focus on securing the asset as opposed to removing the risk. While PCI DSS certification requirements offer a good framework for addressing security, PCI DSS certification does not ensure ongoing security. It is the responsibility of the merchant and service provider to maintain compliance at all times, and across all systems and processes. PCI DSS certification can attest only to the state of security at the moment of the audit. Business dynamics and the state of security can change hours, days, weeks, or months after the audit and prior to the next.

In fact, some companies suffering major breaches have been PCI DSS–certified. Validated compliance with PCI standards did not protect those companies from losing customer loyalty or having their stock price drop.4 Even with PCI standards in place, there is a high dependence on human adherence to policies and procedures. Reliance on human behavior is obviously fallible, either as a result of a mistake or an intentional subversion of security policy.

Myth 3:

You need raw payment data to run your business.

False. You can operate your business and service your customers without raw payment data. National and global multibillion-dollar companies are successfully operating without transmitting, storing, or processing any payment data. There are solutions to help you process credits, challenge chargebacks, manage recurring billing, offer wallets and seamless purchase experiences, and conduct any transaction-related activities without using raw payment data.

It is this myth—that you need raw payment data to run your business—that prevents many businesses from taking the most effective, commonsense approach to security, which is not interacting with raw payment data. Separate your staff and systems from payment information. If there is nothing to steal, there’s less at risk. When you adopt this approach, a whole new, effective security strategy becomes evident.

Myth 4:

Hackers are interested only in large businesses.

Not true. In fact, small and medium-sized businesses are often key targets for hackers because the defenses of these businesses are usually easier to penetrate than those of large enterprises. According to a Ponemon survey conducted in 2016, 55 percent of small and medium-sized businesses had experienced a cyberattack within the previous 12 months—and 50 percent of respondents had suffered a breach involving customer and employee information.5

Payment information is among the top prizes for hackers. Yet—just as with large enterprises—small and medium-sized businesses can reduce the risk that payment data will be stolen by removing payment data from their environment.

Myth 5:

EMV protects all payment data from cyberattacks.

Not exactly true. EMV technology makes “skimming”—or creating counterfeit cards after stealing credit card information—much more difficult for fraudsters. A chip embedded within the EMV-enabled credit card helps verify the authenticity of the card and confirm each purchase. Even if fraudsters were to successfully hack into point-of-sale (POS) terminals and capture key credit card information—such as the card number, expiration date, CVV (credit verification value), and so on—cloning these cards would not enable them to complete transactions at POS terminals.

Although EMV is helpful for preventing skimming, it does not protect the card numbers and expiration dates transmitted during card transactions, and it does not protect card data from being compromised in the event of a breach. Hosted payment technologies, point-to-point encryption (P2PE), and tokenization are better able to offer that kind of protection.

Tokenization creates a completely random number—or token—from card data, and it’s that token that is used for card transactions. You store the token on your server but none of the original card data. The relationship between the card data and token is stored in a secured vault, outside of your environment. So even if your environment is breached, there is no card data to steal—only tokens that cannot be used to re-create the original information.

Employ a Multilayered Payment Security Strategy

To effectively mitigate the risk of payment data compromise, you need a multilayered strategy—one that allows you to accept payments without handling or storing sensitive payment data. For example, if you use tokenization to protect data at rest, you must use P2PE to protect data in transit, unless you have chosen to use a hosted security solution. Hosted web pages can effectively remove sensitive data from your systems entirely by providing a seamless way for the processor to host and house payment data. And EMV—though not a data security technology in the classic sense—adds an important layer of protection in a holistic card security strategy since EMV chip cards make it very difficult for criminals to use compromised data to perpetrate counterfeit fraud.

This type of comprehensive technology approach can be effective in protecting sensitive card data whether your business is a large, global enterprise or a small-to-medium-sized company.

Ready to learn how CyberSource payment security solutions can help you reduce risks while decreasing PCI DSS scope? Contact your CyberSource sales representative, or visit:

CyberSource can help you:

  1. Grow sales and succeed in digital commerce
  2. Mitigate risk and reduce cost of payments
  3. Be agile and succeed in digital commerce

CyberSource, a wholly owned subsidiary of Visa, Inc., is the only integrated payment management platform built on secure Visa infrastructure, with the payment reach and fraud insights of a massive $427 billion global processing network. CyberSource and Authorize.Net payment management solutions help businesses grow sales, mitigate risk, and operate with greater agility.

For more information, visit

CyberSource is a global, modular payment management platform built on secure Visa infrastructure with the benefits and insights of a vast $427 billion global processing network. The solution helps businesses operate with agility and reach digital commerce goals by enhancing customer experience, growing revenues and mitigating risk.


1 Ponemon Institute, “2016 Cost of Data Breach Study: Global Analysis,” June 2016,

2 Javelin Strategy and Research, “Avoidable Collateral Damage from Corporate Data Breaches: Assessing the Effects of Data Breach Remediation on Financial Institutions, Healthcare Providers, and Merchants,” April 2014,

3 “Does a data breach really affect your firm’s reputation?” CSO Online, January 7, 2016,

4 “Stock Prices Average Significant Drops After a Breach,” Infosecurity, May 15, 2017,

5 Ponemon Institute, “2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB),” June 2016.


Topics: payment, cybersource, security, General, partner, visa

Written by CyberSource