How to not be PCI Compliant

Maybe you’ve achieved it; maybe you’re struggling towards it; but have you thought how much you really need PCI compliance?

PCI DSS is about protecting cardholder data, primarily identified via the PAN (Primary Account Number) or the long number on the front of the card.

But the only reason to protect data is its value.

The average credit card limit is a few thousand pounds; reissuing a stolen card may cost €25; a debit card can withdraw about £250. But the value of the card number to your business can be very different.

Do you use the number for marketing analytics, repeat payments or customer support? Do you use the information to add value to your services and better target your customers?

If it’s simply a way of taking payment, then the card number itself is of no value to you, so why spend so much time and money protecting it? Why not spend that money reducing your scope of compliance?

Pursuit of the Trivial

As long as your organisation wishes to have customers pay by card, PCI compliance can never be fully eliminated, but it can be reduced to the point where it is trivial to maintain. There are various ways of doing this.


The most effective method of reducing the scope of compliance is to outsource cardholder data functions to a PCI compliant, certified service provider. Compliant services range from web hosting and remote maintenance to entire call centre and
payment processing solutions.

There is more information on this in Self Assessment Questionnaire (SAQ) A – ‘All cardholder data functions outsourced. No Electronic Storage, Processing, or Transmission of Cardholder Data’.

SAQ A reduces compliance to just 13 requirements, some only applicable if you deal with hardcopy cardholder data, such as merchant receipts. The rest merely require you to hold a list of service providers and ensure they remain compliant.


Tokenisation solutions replace the original PAN with a token. Whenever the PAN is required, the system reconstructs it from the token. Since the tokens are not actually PANs, they (and the systems that use them) are outside the scope of compliance.

Combining tokenisation and outsourcing is particularly effective, since this offers all of the functionality required. For example, a payment processor that offers tokenisation can allow you to set up repeat payments, still without requiring the
actual card number.


P2PE is a supporting standard, maintained by the PCI SSC, covering point-to-point encryption solutions – typically hardware devices which encrypt the cardholder data as it is taken. This data cannot be decrypted until it reaches the payment processer,
crossing the network without bringing other systems into scope.

P2PE solutions can greatly reduce the scope of compliance but only if they have been approved and listed on the PCI SSC website. Currently there are a number of approved assessors, but no approved solutions. This does not mean that P2PE won’t ultimately become effective, but customers need to push their vendors for certification before this route is a viable one.

Compliance – Coincidence, not Compulsion

PCI compliance is a requirement, but should not be a goal. Other goals will deliver more business value – and generate compliance as a by-product.

For example, 90% of PCI DSS requirements match security best practice, so if you set out to maximise your security, you will achieve the majority of PCI compliance as a positive bonus.

Ultimately, your organisation needs to decide the value that a card number has for you and if that value is worth the cost of compliance.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.