5 Consequences of PCI Non-Compliance
Quick Hits:
- Any organization that interacts with cardholder data must be PCI compliant.
- Companies that don’t meet PCI DSS requirements can expect fines from payment processors.
- PCI DSS non-compliance also dramatically increases the likelihood, and consequences, of a data breach.
What is PCI DSS Compliance?
The PCI DSS (Payment Card Industry Data Security Standard) is a standard that was created by major card brands to standardize the requirements for securing cardholder information. The 12 PCI DSS standards create a complex compliance framework enforced by the PCI Security Standards Council. PCI compliance is determined by a yearly assessment of cybersecurity practices surrounding cardholder information.
Who Needs to be PCI Compliant?
Every organization that handles cardholder data must be PCI Compliant. While the PCI DSS is not a law, and is not enforced by the government, PCI Compliance is strongly enforced by payment networks and the PCI Security Standards Council.
What Does PCI Non-Compliance Look Like?
PCI non-compliance is, simply put, failure to meet any of the PCI DSS requirements. This could look like any of the following:
- Improperly installed or maintained firewall configuration
- Anti-virus software that hasn’t been updated
- Use of vendor supplied defaults for system passwords
- Physical access to cardholder data is not properly restricted
- Cardholder data is not properly restricted on a need-to-know basis
- No regular testing of security systems and processes
These are just a few of many potential security issues related to protecting cardholder data. Because of this, it is important to take time to fully understand PCI DSS requirements to avoid non-compliance. Non-compliance can be a serious issue for any organization. There are many consequences to not being PCI compliant, and we’ll look at the top 5 today.
PCI DSS Penalties for Non-Compliance
Fines and Penalties
Fines from payment processors can cause a huge financial burden for companies that are not compliant with PCI DSS. Fines will vary based on the size of the business, and scope of the breach. Penalties will usually range from $5,000 to $100,000 a month until the issue is fixed and a company attains compliance.
Fines of $100,000 a month are more likely for large Level 1 companies that process over 6 million card transactions a year and have been non-compliant for several months. Smaller businesses, like Level 4 businesses that process under 20,000 card transactions a year, will pay fines closer to $5,000. PCI DSS compliance levels are determined by the amount of card transactions a company processes. Monthly fines increase based on the size of the company and the time that the company has spent out of compliance.
Penalties are usually transferred from the card brand to the payment processor, then from the payment processor to the company that violated PCI DSS. Because of this, penalties will vary between payment processors. Some payment processors may even charge additional fines on top of the penalties they must pay to the card brand.
All of these fines exist even if your company’s non-compliance does not end in a data breach. However, non-compliance creates security issues that are easily exploited by hackers looking to steal cardholder data. Non-compliance increases the likelihood of a data breach, especially if your company is not compliant for a long period of time. Non-compliance can also affect the aftermath of a data breach, which is what we’ll look at next.
Data Breach Compensation Costs
If your company suffers a data breach while non-compliant, your company will be responsible for compensation costs alongside other potential fines. Compensation costs are the costs associated with helping customers whose data has been compromised. This can include free credit card monitoring for customers, identity theft insurance, and even some service fee reimbursements. Cost will also likely include card replacements, which can range from $3-$5 per customer and will add up quickly when a large number of cards are compromised.
While PCI DSS does not guarantee safety from data breaches, a company that suffers a breach while PCI Compliant is less likely to suffer a breach and may have the associated fines lowered or eliminated. In the event of a breach, compliance still holds weight and shows that your company has not been negligent with PCI DSS security requirements.
Legal Action
If PCI DSS non-compliance leads to a data breach, customers may choose to take legal action. Lawsuits, or multiple lawsuits, are possible in any data breach. However, if you are not PCI compliant, customers and card brands can easily show your company’s negligence. If your business faces litigation on multiple fronts, whether from multiple customers or card brands, legal costs alone can be enough to cripple your company.
Damaged Reputation
Endangering a customer’s data not only comes with fines and lawsuits, but it can also cause irreversible damage to your company’s reputation. Once your company has experienced a data breach, the customers affected may never have the same level of trust in your company again. Even unaffected customers may lose trust in your company, reasonably worried that their information may be compromised in the future.
Your company’s damaged reputation will also incentivize hackers by revealing that your company has been operating below standard. Not being PCI compliant is a huge data breach risk. If not fixed quickly, these weaknesses in your company’s security can be leveraged by hackers, leading to a data breach, which only increases the risk of more attacks.
Revenue Loss
Not only does PCI non-compliance come with financial costs, but any damage to your brand’s reputation can dramatically decrease revenue generation. In the case of a data breach, your company will have to juggle both the cost of the breach and the decreased revenue from scared or unsatisfied customers.
Customer trust cannot be resecured easily once it has been broken. No matter how well your company responds to a data breach, some customers may never return. Others may be hesitant, waiting to see what actions your company takes to resolve the issue. Maintaining PCI compliance is crucial to prevent data breaches, but also to win trust once a breach has taken place. The ability to show customers that you are compliant with PCI standards won’t fix a breach, but it can be a step in the right direction.
How to Prevent PCI Non-Compliance
PCI DSS was created to protect cardholder data, and not complying with their recommendations means your company is operating below the bare minimum of security efforts. While data breaches are not a guaranteed outcome of PCI non-compliance, not adhering to PCI standards means that there are gaps in security that hackers can exploit. While no company wants to receive fines for PCI non-compliance, the costs of a data breach can be far worse.
So how do you attain PCI compliance?
PCI compliance can be a lengthy, and expensive process. However, for companies that store their cardholder data outside of your internal systems, you can dramatically reduce the scope of your PCI audits and easily attain compliance. Check out IXOPAY tokens to see how you can secure your cardholder data in a way that reduces your compliance burden and eliminates the risk of cardholder data exposure in the event of a breach.