With more than 510 million records containing sensitive information breached since January 2005, statistics indicate that cardholder data breaches are on the rise, and criminals are increasingly targeting small and medium businesses to obtain cardholder information. To help protect consumers’ payment data the payment card industry created PCI compliance.
The Payment Card Industry Data Security Standard (PCI DSS) has been in existence for years, requiring any merchant that processes, transmits, or stores customer’s cardholder data to achieve PCI compliance. The PCI compliance process comprises of 12 high-level PCI DSS requirements.
With the effort involved, entities may question whether they should allocate their time and financial resources or just ignore PCI compliance altogether. However, in the case of PCI compliance, the benefits ultimately outweigh the drawbacks as the risks associated with ignoring PCI DSS requirements can range from loss of reputation to financial ruin.
Merchants ignoring the growing adoption of PCI DSS do so at their own peril as the penalties for non-PCI compliance are severe. Non-PCI compliant merchants and payment processors can face fines from $5,000 to $500,000, depending on a variety of factors. In 2006 alone, Visa reported imposing $4.6 million in fines.
Additional costs include:
More devastating than fines, credit card companies may also revoke the right of a merchant to process credit card transactions, providing a “virtual death sentence” for many organizations.
Reputational damage, lost business and reduced partner/ consumer confidence and trust are just some of the after-effects of a data breach. Reports demonstrate that 69% of consumers would be less inclined to conduct business with a breached entity, which can even lower share price and impact the ability to raise capital in the future.
It is evident that the cost for getting and staying PCI compliant is pale in comparison to the potential costs and fines associated with data breach. The good news is that just by adopting the PCI DSS operating guidelines, entities can mitigate many, if not all of these risks.
It is not unusual for business owners to feel frustrated by the rules and requirements surrounding PCI DSS. Additional obligations excite few people, however the most productive way for merchants to think about PCI compliance is as a set of continuously evolving security best practices benefitting their business.
Engaging a Qualified Security Assessor (QSA) company such as Control Gap can simplify the process and help your organization adopt these practices and achieve compliance. Contact us at 1.866.644.8808 and we would be happy to help you.
Resources:
Desharnais, Yves B. PCI DSS Made Easy (PCI DSS 3.2 Edition). N.p.: n.p., n.d. Print.
https://www.namm.org/news/articles/pay-now-or-pay-later%E2%80%94-risks-associated-ignoring-pc
http://www.scmagazineuk.com/cant-we-just-ignore-pci-dss-and-get-on-with-life/article/216535/
https://iapp.org/news/a/2007-03-01-merchants-can-no-longer-ignore-the-pci-data-security-standard/
https://www.hytrust.com/wp-content/uploads/2015/08/HyTrust\_Cost\_of\_Failed\_Audit.pdf
8 min read
David Gamey : Aug 5, 2021 10:07:00 PM
It turns out that how you implement e-commerce can have a huge impact on your compliance footprint (i.e., the number of PCI security controls...
David Gamey : Jun 28, 2016 10:07:00 PM
The PCI Council has testified before Congress about standards and breaches in both 2014 and 2009 (links are to Google Searches). This year PCI is...
David Gamey : May 20, 2021 10:07:00 PM
Organizations subject to PCI DSS compliance validation spend significant amounts of time, effort, and money to maintain and validate their...
Robert Spivak