The Payment Card Industry (PCI) Security Standards Council is the governing body who establishes the policies that all merchants that process credit cards – large and small – must follow. The idea is that by following the requirements set in the PCI Data Security Standard, merchants can better protect themselves against cyber attacks and thieves trying to steal customers' credit card data.
The challenge is that can be very difficult for organizations to implement the actual DSS requirements, figure out what controls are necessary, and which of their systems must be protected. This is especially true for smaller businesses that lack dedicated IT and Security staff.
Like anything in the world of IT, much of this evolves over time – from the standard itself, to the card reading technology, to the credit cards themselves. And as columnist Evan Schuman recently wrote in Computerworld, many developments lead to unintended consequences that only add to the complexity.
Think about it. If Home Depot couldn't get it right, what chance does the average mom and pop business have?
Obviously, data breaches and the theft of customers' credit card data are costly events in real dollars, lost business and damaged reputations.
But businesses must also keep in mind that there are costs for being non-compliant with the PCI-DSS standards.
For example, the payment brands – Visa, Mastercard, American Express and others – can fine banks anywhere from $5,000 to $100,000 per month for violations of PCI compliance. The risk is that the bank will pass the fine on down to the merchant.For smaller businesses, such a fine can be crippling.
Non-compliance fines and fees usually follow a merchant being compromised or having some incident that brings their non-compliance to the attention of the card brands.
When a merchant is compromised there are many expensive things that will follow. These include the merchant instantly requiring a full PCI Level 1 validation by a Qualified Security Assessor (QSA) and hiring an authorized forensics incident response firm. Merchants can also be required to pay the card brands a fee for every card lost to be reissued, the cost to provide customers credit protection, and other fees. Add it all up, and the total cost of an incident can easily go into the hundreds of thousands of dollars.
To make matters worse, such fines are not imposed or even regulated by PCI, rather they are left up to the discretion of each payment brand. As PCI advises in their FAQ, "For more specific information, please contact the individual payment card brands." But good luck trying to find clear, definitive guidance in any single place on the payment brands' websites.
Fortunately, there is a better way forward.
For smaller to medium-sized businesses especially, all of this risk, uncertainty and potential cost really underscores the value of selecting a trusted partner to assist them with their PCI compliance initiatives.
Because it seems the only thing more complicated than figuring out PCI compliance itself getting clear guidance on the fines for non-compliance. Avoid the risk and work with the experts.