Back to the Basics: What Is the Cost of Non-Compliance with PCI DSS?
Does your business store, process or transmit payment card data? If so, you need to be compliant with the requirements of the Payment Security Industry Data Security Standards (PCI DSS).
PCI DSS is a set of twelve requirements. The major credit card providers convened these requirements to minimise the level of risk that credit companies and consumers exposed themselves to with each transaction. Although not written into law, a raft of regulations allow punishment for non-compliance to be issued from numerous organisations and under a multitude of circumstances.
As companies are evaluating compliance strategies, the top concern that comes up is ‘how will security fit within the budget?’ However, with more companies hitting the headlines as victims of a data breach, PCI compliance is turning from a bare minimum line item to a worthwhile investment. In fact, failing at compliance could easily prove more costly.
The Many Costs of Non-Compliance
If you are non-compliant, you could face a multitude of bottom-line financial costs, such as:
- Fines – These are at the discretion of your acquiring bank. They can range from tens to hundreds of thousands.
- Recurring charges – You could also face recurring charges from your merchant account. Again, this is entirely at the discretion of the banks, but could prove a costly additional monthly sum.
- Increased costs of insurance and claims – Non-compliance increases the risk of sensitive cardholder data being exposed. It also means that your network is insecure and vulnerable to attack in other areas. Insurers see this as high-risk. This could increase your premium and affect insurance claims should you need to make one.
Beyond bottom line costs, damage to your customers’ safety and the ensuing reputational costs add up.
Customer safety and data security should be of paramount importance to any organisation responsible for handling and storing sensitive data. In a world where so much of life is conducted online, data breaches can have a severe impact on your customers’ lives. Consider financial loss and identity theft, for starters. Keeping customer data secure is therefore vital. Complying with the requirements of PCI DSS is a great foundation to your security journey.
If you suffer a breach (and it’s a breach that PCI DSS compliance would have prevented), the damage to your reputation is likely to be high. This could affect future business. It could also cause an immediate drop in share prices and sales. These can be hard to recover from.
Our own research shows that consumers will stop spending with organisations that suffer a data breach. This also negatively impacts profit. And, because the legal culpability for compliance falls on the merchant, the costs of non-compliance can further snowball as potential lawsuits from customers arise.
More Costs: Non-Compliance With Other Regulations
If your organisation is not compliant with the requirements of PCI DSS, there is a good chance you are also inherently not compliant with other regulations.
Credit card data is Personally Identifiable Information (PII), and therefore means it is subject to more regulation than PCI DSS alone. Within Europe the General Data Protection Regulation (GDPR) sets out how PII should be stored, transmitted and handled.
PCI DSS and the GDPR sit on the same branch. A breach of PCI compliance is a breach of the GDPR, and therefore is subject to the same punishment for non-compliance.
Financially, this can mean a fine of up to £17m or 4% of a business’ global turnover in the most severe cases. Since coming into effect in 2018, the highest fines issued have been for breaching financial details. British Airways, Equifax and Marriott are three high profile examples. British Airways was hit with the largest privacy fine in the UK’s history, at £20 million ($27.6 million), and Marriott was hit with the second largest, at £18.4 million ($23.8 million).
But fines are not just limited to data in the EU:
- Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian equivalent of the GDPR. A breach could cost a business up to CAD$100,000.
- The Australian Privacy Act has been amended recently. A breach could cost companies AU$10 million, or 10% of a company’s annual domestic turnover.
- The USA is increasing regulation around data privacy on a state-by-state basis. For example, the Californian Consumer Privacy Act (CCPA) adds protection to the data of Californians. A number of states are set to follow suit with their own versions of this (see our data privacy infographic).
How to Prove Compliance
Since a breach amid non-compliance is so costly, proving compliance becomes key.
Every year businesses must prove PCI compliance by employing the services of an external Qualified Security Assessor (QSA) or completing self-assessment questionnaires (SAQs) by their banks. Which one you complete is determined by what type of business you are and how you take card payments.
The objective is to ensure that wherever in your organisation cardholder data is present, you adequately protect it. Even if you outsource your PCI DSS compliance to a third party or another company, legal and regulatory culpability still fall on you.
While audits happen once annually, it is important to take safety precautions throughout the year. This ensures that come audit time, your organisation is ready and compliant.
An Easier Path to Proof of Compliance
While PCI DSS can seem complicated, there is one tactic that streamlines the process for achieving and maintaining compliance.
Descoping from the requirements of PCI DSS where possible involves keeping customers’ card data out of company systems. It minimises contact areas where you process and store data.
Not only does descoping support the journey to compliance, but it offers many other cost savings of its own.
PCI Pal solutions such as Agent Assist, IVR and Digital allow businesses to descope. They create an environment for taking payments by phone or any digital channel from customers without sensitive credit card data being seen, heard or stored. This prevents fines for non-compliance. It also safeguards your reputation with your customers.
Every Organisation Should Strive for PCI DSS Compliance
It is clear – businesses should not ignore PCI DSS. In doing so, they are not just risking a set of small charges from their banks and merchant services.
If a company suffers a financial data breach, the cost will likely snowball. Consumers will choose to spend their money elsewhere (and even sue). Fines from other data protection standards will join the mix.
Fortunately, by actively maintaining security best practices year-round, preparing for the audit and streamlining compliance via descoping, organisations can achieve compliance, safeguard their reputation, and build trust.