The Payment Card Industry Data Security Standard (PCI DSS) does a great job of outlining how an organization should go about protecting cardholder data. Most organizations take the best practices from the PCI council and implement a strong information security strategy bent on enforcing PCI standards, compliance requirements, and vulnerability management.
What happens when an organization doesn’t follow the rules as they should or they suffer a data breach because of negligence?
- The organization loses credibility and suffers a reputational loss, which has an unmeasurable impact on the bottom line.
- The organization may no longer accept credit cards, significantly impacting its ability to sell products and services.
- The organization may have to pay fines, strengthen its information security, and have an independent assessment performed by a qualified security assessor (QSA). Note that a QSA-performed assessment is required for all level 1 merchants, regardless of compliance.
Reputation
The inability to stay PCI DSS compliant may have far-reaching consequences when it comes to business brand value. The old adage comes to mind where when something good happens, people typically tell a friend, but when something bad happens, they tell everyone they know. There is nothing like a data breach that exposes credit card information to truly impact a business’s image and reputation.
Take, for instance, the Target breach. Excessive permissions granted to a third party impacted the network and allowed for the theft of countless customers’ cardholder data. Large organizations typically have cybersecurity insurance to help mitigate the cost of a data breach, but it does little to repair the damage done to the masses impacted by the theft.
While Target would have been required to pay more fines without cybersecurity insurance, the impact on the brand was immeasurable. Stock prices fell for an extended length of time and customers visiting stores dropped significantly. Failure to comply with PCI DSS or a data breach has long-lasting negative brand implications.
Loss of ability to accept credit cards
Imagine how many transactions are conducted using cash or check. Now, think about how many card transactions leverage Visa, Mastercard, American Express, Discover, or JCB. Picture how commerce has become dependent on card payments and the impact of losing the ability to accept them because of a failed PCI compliance assessment or data breach.
The inability to accept payment cards would be a major inconvenience for a brick and mortar organization. If an organization survives on e-commerce, losing the ability to accept credit cards can, in essence, put them out of business. It is easy to see why being PCI compliant is such a necessity for businesses of all types.
Fines, Infrastructure, and Audit
The most potentially damaging effect of failing PCI compliance is the fines. Fines can range anywhere from $5,000 to $100,000 per month until compliance is obtained. Fines might be scary, but not as scary as the many noncompliant organizations that are missing key infrastructure, information security, and vulnerability management capabilities.
The remediation cost ranges depending on how far behind the organization has fallen on following PCI DSS. Rounding out fines and additional infrastructure is the QSA audit itself. The price of having a QSA evaluate an organization ranges, but can cost upwards of $100,000.
PCI DSS provides all the direction an organization will need to obtain and maintain PCI compliance. Failure to follow the standards outlined by PCI can quickly earn an organization the status of non-compliance. Organizations that are non-complaint will experience fines, loss of market share, and need ongoing audits to prove compliance.
It is critical for any business that accepts, transmits, or stores credit card data to follow PCI requirements. A sound information security program is a good start, as well as a robust vulnerability management program. PCI compliance is all about protecting cardholders, cardholder data, and preventing data breaches. Organizations that choose to ignore requirements when it comes to accepting payment cards will quickly find themselves a cash-based business or out of business entirely.