Does your business store, process, or transmit any payment card information? Then you need to be compliant with the latest version of PCI DSS! We’ve already had a look at how to make sure you are compliant— in this article we’ll take a look at the effects of being non-compliant. These can involve hefty fines month after month, legal fees, and very unhappy customers: all things your business wants to avoid!
What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines decided on by the major credit card companies. These guidelines are intended to guarantee the security of all private data that is stored and transferred when merchants process credit card information. They are regularly refined and updated to reflect the latest potential security breaches: the latest version is v3.2.
PCI DSS was set up to minimise the result of any potential data security breaches, in order to minimise the level of risk that credit companies and consumers exposed themselves to with each transaction. As a result, any sign that you are non-compliant is bad news for your organisation, whether or not any data has yet been compromised. The costs of non-compliance can include:
- a range of fines ranging from tens to hundreds of thousands of pounds
- insurance claims
- cancelled merchant accounts
- ruined customer relationships
Although the ultimate cost of PCI DSS is an insecure business network, as we’ll see, whether or not a security breach has yet happened, that is just the tip of the iceberg.
How are businesses fined under PCI-DSS?
No matter if you have outsourced your PCI DSS compliance to another company, you are always ultimately responsible for the security of the data you process. Even if a company claims to have given your business complete PCI DSS compliance, if it turns out your system is non-compliant in any area, all legal culpability falls on you.
Fines for PCI DSS non-compliance are entirely at the discretion of your acquiring bank. If you are suspected by them to have compromised data security by not complying with PCI DSS, whether or not there has yet been a breach, you are liable to pay a fine. These fines are not standardised by the PCI DSS, who only establish security guidelines.
Every acquiring bank has their own arrangements for punishing non-compliance, but as a general rule there are 2 kinds of fine:
- Non-compliance fines: If your bank’s deadline for PCI DSS compliance has passed, and you are found to still not be up to standard, you are liable to pay a non-compliance. This could be tens or hundreds of pounds, to be paid every month you are still not compliant, perhaps increasing as time goes on.
- Data compromise fines: If your company suffers a data security breach and you are found to not have been PCI DSS compliant, the fines can be major. They tend to be based around a fixed fine of about £15,000, with the cost of remuneration and the cost of a full forensic investigation, which can be hundreds of thousands of pounds, charged on top.
Whether or not your company suffers a security breach, PCI-DSS non-compliance can cause financial headache.
But there's more...
Because legal culpability for PCI-DSS compliance falls entirely on the Merchant, the costs of non-compliance can snowball as potential lawsuits from customers and businesses affected by your oversights combine with fines from acquiring banks. It is not uncommon for an acquiring bank to close your account following PCI-DSS non-compliance, effectively putting you out of business as you are unable to process payments, and the damage to your business’ reputation and your customers’ confidence can be hard to come back from. By ensuring PCI-DSS compliance you avoid all these additional punishments in the event of a security breach and gain:
- the ability to demonstrate that you have shown all due diligence to any authority you might deal with.
- the secure knowledge that all the data you and your network process is authenticated and maintained with confidentiality and integrity: good news for your customers, your workers, and your bank.
- a “Safe Harbour” from many legal fees and fines in the event of data breach: if you are PCI-DSS compliant are the time of a breach, insurers should pay remonstration fees, and no fines or additional charges will be inflicted on your business.
As the nature of modern business communications change to include new digital technologies, such as Unified Communications and cloud-based storage, it can feel that knowledge of your own PCI-DSS compliance is drifting out of your hands.
At our Digital Telecoms Transformation Forum, held at the BT Centre in Central London, we'll be discussing and demonstrating quick ways to achieve compliance - including taking secure payments over the phone. Register now for your free ticket!