The Payment Card Industry (PCI) Security Standards Council is the governing body that establishes the policies that all merchants that process credit cards – large and small – must follow. By following the requirements set in the PCI Data Security Standard, merchants can better protect themselves against cyber attacks and thieves trying to steal customers’ credit card data.
The challenge is that it can be very difficult for organizations to implement the actual DSS requirements, figure out what controls are necessary, and which of their systems must be protected. This is especially true for smaller businesses that lack dedicated IT and Security staff.
Like anything in the world of IT, much of this evolves – from the standard itself to the card reading technology to the credit cards themselves. And as columnist Evan Schuman recently wrote in Computerworld, many developments lead to unintended consequences that only add to the complexity.
Think about it. If Home Depot couldn’t get it right, what chance does the average mom-and-pop business have?
Data breaches and the theft of customer’s credit card data are costly events in real dollars, lost business, and damaged reputations.
But businesses must also keep in mind that there are costs for being non-compliant with the PCI-DSS standards.
For example, payment brands – Visa, Mastercard, American Express, and others – can fine banks anywhere from $5,000 to $100,000 per month for violations of PCI compliance. The risk is that the bank will pass the fine on down to the merchant. For smaller businesses, such a fine can be crippling.
Non-compliance fines and fees usually follow a merchant being compromised or having some incident that brings their non-compliance to the attention of the card brands.
When a merchant is compromised, many expensive things will follow. These include the merchant instantly requiring a full PCI Level 1 validation by a Qualified Security Assessor (QSA) and hiring an authorized forensics incident response firm. Merchants can also be required to pay the card brands a fee for every card lost to be reissued, the cost to provide customers credit protection, and other fees. Add it all up, and the total cost of an incident can quickly go into hundreds of thousands of dollars.
Worse, such fines are not imposed or even regulated by PCI. Instead, they are left up to the discretion of each payment brand. As PCI advises in their FAQ, “For more specific information, please contact the individual payment card brands.” But good luck trying to find clear, definitive guidance in any single place on the payment brands’ websites.
Fortunately, there is a better way forward.
For small and medium businesses, this risk, uncertainty, and potential cost underscore the value of selecting a trusted partner to assist them with their PCI compliance initiatives.
Because it seems the only thing more complicated than figuring out PCI compliance is getting clear guidance on the fines for non-compliance. Avoid the risk and work with the experts.