Back to the Basics: What Is the Cost of Non-Compliance with PCI?
Although our research shows that achieving and maintaining PCI compliance builds trust with your customers, it’s all too easy to forget that being found non-compliant could cost you more than your reputation, whether or not you’ve suffered a data breach. If your business stores, processes or transmits payment card data then you need to compliant with the Payment Security Industry Data Security Standard (PCI DSS).
A set of twelve requirements convened by the major credit card providers, PCI DSS was set up in order to minimise the level of risk that credit companies and consumers exposed themselves to with each transaction. Although not written into law, a raft of regulations allow punishment for non-compliance to be issued from numerous organisations and under a multitude of circumstances.
Every year businesses are asked to prove PCI compliance by way of completing self-assessment questionnaires (SAQs) by their banks. Which one you complete is determined by what type of business you are and how you take card payments. The objective is to ensure that wherever in your organisation cardholder data is present, it is adequately protected. Even if you outsource your PCI DSS compliance to a third party or another company, legal and regulatory culpability still falls on you. If you are found to be non-compliant you will most probably face a raft of financial costs, such as:
- Fines – These are at the discretion of your acquiring bank but have been known to range from tens to hundreds of thousands of pounds.
- Recurring charges – You could also face recurring charges from your merchant account. Again, this is entirely at the discretion of the banks but has been known to run into hundreds of pounds a month.
- Increased costs of insurance and claims – Non-compliance increases the risk of sensitive cardholder being exposed should a business suffer a data breach. It also means that your network is insecure and vulnerable to attack in other areas and is therefore seen as high risk from insurers. This could increase your premium and affect insurance claims should you need to make one.
But this is just the tip of the iceberg when considering the cost of non-compliance. Should a business suffer a breach and be found non-PCI compliant the cost can increase exponentially and in several ways.
Credit card data is personally identifiable information (PII) and therefore means it is subject to more regulation that PCI DSS alone. Within Europe the General Data Protection Regulation (GDPR) sets out how PII should be stored, transmitted and handled. PCI DSS and the GDPR sit on the same branch in that a breach of PCI compliance is a breach of the GDPR and therefore is subject to the same punishment for non-compliance. Financially, this can mean a fine of up to £17m or 4% of a business’ global turnover in the most severe cases, and since coming into effect in 2018 the highest fines issued have been for breaching financial details, with British Airways and Equifax being two high profile examples. But fines are not just limited to data in the EU:
- Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian equivalent of the GDPR, and a breach could cost a business up to CAD$100,000
- The Australian Privacy Act has been amended recently, meaning that a breach could cost companies who suffer a data breach AU$10 million, or 10% of a company’s annual domestic turnover
The USA is also increasing regulation around data privacy on a state by state basis. Most recently the Californian Consumer Privacy Act (CCPA) adds protection to the data of Californians, and a number of states are set to follow suit with their own versions of this (see our data privacy infographic.)
But it’s not just immediate fines that should concern businesses. Because the legal culpability for compliance falls on the merchant, the costs of non-compliance can snowball as potential lawsuits from customers, again the British Airways data breach being a prime example of this. Our own research also shows that consumers will stop spending with organisations should they suffer a data breach, which could also negatively impact profit.
What is clear is if businesses choose to ignore PCI DSS, they are not just risking a set of small charges from their banks and merchant services. Should a company suffer a breach of financial data the cost will likely snowball because of global data protection standards. Add to this that consumers will spend their money elsewhere if a data breach occurs and it could cost companies financially and by loss of reputation and trust. This then poses the question of how can businesses achieve and maintain PCI compliance with the least amount of friction?
The answer is to descope from requirements of PCI DSS where possible. Solutions such as Agent Assist and PCI Pal Digital allow businesses to take payments by phone or any digital channel from customers without sensitive credit card data being seen, heard or stored. Not only will this prevent fines for non-compliance, it will safeguard your reputation with your customers.