Since we first posed this question two years ago there have been a raft of changes across all areas of data protection and PCI compliance, such as the GDPR and PCI DSS v 3.2.1. In light of such changes and an increase in high profile data breaches, we revisit this question and ask: can your organisation afford to take the risk of being non-compliant?
The risk to your bottom line.
Whilst bank fines for non-compliance have been scrapped, there are still financial consequences for businesses found not to be PCI compliant. As you will be seen to be higher risk, you may find that the cost of transactions and your data protection/ cyber liability premium are higher too. But what’s more significant and potentially costlier is the GDPR now being in effect. As discussed by Tony Smith in IT Pro Portal card data and therefore PCI Compliance is in the scope of the regulation and a breach could land fines of up to £17m or 4% of global turnover.
The risk to your reputation.
What could be more damaging than the fines imposed due to a data breach? Following the exposure of the Facebook/ Cambridge Analytica data breach, The ICO have stated their intent to fine Facebook £500k, the maximum possible prior to the GDPR coming into effect. But the immediate impact was that share prices in Facebook dropped 24% and Cambridge Analytica closed completely. What we are seeing, as we predicted, is that damage to reputation can potentially be more threatening to the point where they cannot continue.
The risk to your customers.
PCI DSS v 3.2 now requires ongoing proof of compliance through the year to ensure that sensitive card data is continually secure. As discussed before, treating PCI as an annual exam is no longer sufficient. According to Verizon’s PCI DSS compliance report every company who has suffered a data breach were found not to be PCI compliant. It goes without saying that securing customer data should be of paramount importance to businesses. Products such as Agent Assist take this one step further by ensuring card data is kept out of your business systems and therefore there’s no data to lose, ensuring PCI compliance is always maintained for phone payments.