What are some of the biggest consequences of PCI non-compliance for businesses? Continue reading to learn more!
Released for the first time in 2006, the Payment Card Industry Data Security Standard (also known as PCI-DSS) was created by some of the biggest card brands in the world with the purpose of establishing a standard for information security.
It’s main intention was to increase control over the way cardholder data is handled, making it safer to process and reducing online payment fraud for the protection of both companies and customers.
This means that businesses that are in PCI non-compliance are facing some serious consequences, ranging from penalties by financial entities to lawsuits and ruined reputation.
In this article, we will discuss some of the most serious ones, and what you can do to prevent them to ensure full security for you and your customers.
But before we dive right into the negative consequences of PCI non-compliance, let’s answer some important questions:
Who needs to be PCI-DSS compliant?
Every organisation that stores, processes, or transmits cardholder data needs to be PCI-DSS compliant. For example, if an ecommerce merchant accepts payments on their website and stores this data for future purchases, he is required to comply with the PCI standard.
In other words, since PCI-DSS is required to make transactions safe and protected against identity theft, practically all businesses that accept payments online should be in compliance.
What are the PCI-DSS requirements?
In total, there are 12 PCI-DSS requirements that revolve around 6 main goals: to build and maintain a secure network, protect cardholder data, maintain a Vulnerability Management program, implement strong access control measures, regularly monitor and test networks, and maintain an Information Security Policy.
The PCI standard, created by American Express, Discover, JCB International, Mastercard and VISA Inc., describes all technical and operational system components in the following way:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
And now, let’s take a look at the negative consequences of PCI non-compliance:
1. Monthly penalties by financial entities
One of the negative consequences of PCI non-compliance is getting fined by payment processors. The penalties can range from $5,000 to $100,000 per month depending on the size of the organisation, as well as the scope and seriousness of the breach.
To put things into perspective, companies that handle large volumes of customers and transactions can typically expect to pay higher fines than smaller businesses. Another factor to take into account is the level of PCI-DSS that the company should be on, as well as the period of time during which it has been non-compliant.
For example, for Level 1- companies that have not met the requirements for more than 7 months, the penalties can reach up to $100,000 monthly for continuous PCI non-compliance.
Image source: pcisecuritystandards.org
PCI levels refer to the number of payment transactions that merchants process annually, and they can be summed up with this table:
Over 6 million card transactions per year.
Between 1 to 6 million card transactions per year.
Between 20,000 and 1 million card transactions per year.
Fewer than 20,000 card transactions per year.
Additionally, it is important to keep in mind that all penalties that banks or payment processors suffer as a result of PCI non-compliance will be transmitted to the company that’s guilty of it. This can have a negative impact on the relationship between the financial entity and the company.
For this reason, it’s extremely important to use a Level-1 Payment Gateway that fully complies with PCI-DSS not only to ensure the security of your transactions, but also to help you maintain your good relationship with customers and financial entities.
2. Infringement consequences
Infringement consequences are another possible negative outcome of PCI non-compliance. If a company has suffered a breach in which card information of any cardholder has been endangered, it can expect the following penalties:
- Between $50 and $90 per card holder whose information has been endangered;
- Termination of the relationship between your company and its bank/payment processor;
- Negative impact over your company’s reputation;
- Lawsuit by the clients whose information has been violated;
- Loss of trust due to the lack of security.
Additional consequences may include increased rates charged by payment processors and banks, costs of forensic investigation to determine the result of the breach, as well as costs of card replacement.
It is important to keep in mind that PCI-DSS in itself doesn’t prevent data breaches. It helps to reduce them, but it is not a guarantee for 100% protection.
If a company is involved in a data breach while being compliant, it may receive lighter penalties by credit card companies, but it will still have to suffer the consequences of the breach.
3. Compensation costs
On top of penalties by banks and payment processors, if you suffer a data breach, you will probably have to compensate customers whose data has been compromised as well.
This includes, but is not limited to, costs associated with credit card monitoring, insurance against identity theft, costs of card replacement, and more.
This alone can cost companies millions of dollars depending on the scope of the breach. For example, in 2019 Capital One suffered one of the biggest data breaches in history, exposing the personal and payment information of more than 106 million customers.
As a result, they had to pay over $190 million in settlement.
Source: businessinsider.com / Negative consequences of PCI non-compliance.
4. Legal Action
In addition to fines from banks and payment processors and compensation costs for customers, a very possible outcome of endangering information of various bank cardholders is lawsuits or even worse – various lawsuits from multiple data breach victims.
In 2007, TJX had to pay $40.9 million for a data breach that exposed more than 100 million bank cards to risk. In 2014, approximately 1.1 million clients of Neiman Marcus were affected by another data breach that was detected with a 3-month delay.
5. Damaged reputation for PCI non-compliance
Putting your clients’ bank card information at risk can result not only in elevated costs, but it can cause irreversible damage to the reputation of your brand due to security mistrust.
Once your security has been endangered, it will be very difficult for your clients to start trusting you again, especially when it comes to their sensitive payment information.
In fact, a Forbes Insight report discovered that 46% of the companies had suffered reputational damage after getting involved in a data breach, and 19% of them suffered brand damage as a result of a third-party security breach.
As with many other things, the best way to prevent the negative consequences of PCI non-compliance is to take action before anything has happened. One way to do that is by accepting payments with a secure, trustworthy, and Level-1 Payment Gateway such as MYMOID.
6. Revenue loss
A strong percussion on your brand’s reputation can drastically decrease your revenue due to the loss of clients followed by a security breach.
In 2013, the retail giant Target was sentenced to $18.5 million for an infringement that affected more than 41 million consumers, leading to a $440-million-loss of revenue only in the first quarter after the breach.
In fact, according to IBM, 2021 registered the highest average data breach cost in 17 years, which was tightly related to the global pandemic and the increase in online transactions globally.
Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the 17-year history of this report, and quite often it happens because of actions related to PCI non-compliance.
7. Going out of business
One of the possible negative consequences of PCI non-compliance is the risk of going out of business if the penalties are too high, or the reputational damage has been too severe.
This happens because the impact of a cyberattack doesn’t typically fade away after the initial hit. In fact, in an expert breakdown of the cost of a data breach, it can be easily seen how it can linger over a long period of time.
Companies that survive the costs associated with the initial hit may continue paying for remediation and damage over the next few years, along with trying to overcome their reputational damage.
Unfortunately, the bills from cyberattacks will often continue coming for years to come. According to research, companies pay in the first year after the impact about 61% of the costs associated with the data breach, while 24% comes due in the next 12-24 months. The bills for the remaining 15% can come even more than 2 years later.
8. Federal Audits
If your company is big and operates with a large volume of clients, the Federal Trade Commission can decide to perform frequent audits to make sure that you comply with the security standard.
The Federal Trade Commission monitors organizations that don’t comply with PCI-DSS, and apart from imposing its strict regulations, it can decide to penalize your company for non-compliance as well.
Complying with the security regulations for managing bank cards is extremely important for your business and the safety of your clients.
However, the costs associated with the PCI-DSS certification can be very elevated for a lot of small companies, making them choose to keep on operating with bank cards in non-compliance.
It is easy to fall into this temptation, but the consequences of PCI non-compliance can be destructive for your business.
Fortunately, this problem has a solution. MYMOID, the progressive platform for online payments, offers a secure and affordable payment experience in compliance with PCI-DSS, so you can manage and store your clients´ bank data in a safe and comfortable environment.
Also, do not forget to download our ebook on PCI-DSS for additional information on PCI-DSS and PCI non-compliance. By downloading the ebook, you will learn more about:
- The evolution of digital payments
- Data risk and the need for undertaking security measures
- Definition and characteristics of PCI-DSS compliance
- Negative consequences of PCI non-compliance
- Best practises and benefits of being PCI compliant
- Common uses and applications of PCI-DSS
- PCI compliance vs. Payment platforms
- Is PCI obligatory for your company?