If you accept credit card payments, you’re likely familiar with PCI compliance and what it entails. If you accept credit card payments, or are considering it, and are NOT familiar with PCI compliance, be sure to take accurate notes on the information that follows.
PCI DSS Overview
Created in 2004 by the five global payment brands — Visa, Mastercard, American Express, Discover and JCB — the Payment Card Industry Data Security Standard (PCI DSS) is a security compliance requirement for businesses that handle credit cards. It was created to protect customer and cardholder data from cyber attacks and fraud.
To become PCI compliant, businesses must adhere to strict policies and procedures in order to protect cardholder data, analyze security vulnerabilities, and remediate any issues that may occur while storing data. An ongoing process, businesses are required to submit any remediation records as necessary, and submit compliance reports to banks and credit card companies for continuing validation.
The latest version (PCI DSS 3.0) takes effect on July 1st of 2015 and raises the bar even more for security standards, with requirements like unique authentication for third parties/contractors and a new methodology for penetration testing.
Failure to become PCI compliant can have a huge negative impact on your business in several ways:
- Fines: Violation of PCI compliance requirements can result in $5,000 – $10,000 in monthly fines from credit card companies. Also, in the event of a data breach fraudulent purchases on your customers’ cards may result in bank reversal charges for which you’d be responsible. This may not seem very impactful, but consider the size of your database and having to pay fees for each fraudulent transaction for each record. The result could be catastrophic.
- Audits: While it’s mostly the PCI Security Standards Council and credit card companies that handle business relationships, larger organizations are sometimes monitored by the FTC. Failure to comply with PCI standards will result in an FTC audit, which is never good news – no one wants the government peeking over their shoulder.
- Loss of Customers: How likely is a customer to return to your business after their data has been compromised? According to the Ponemon Institute, the average churn rate of customers affected by a data breach between 2013 and 2014 rose 15% from the previous year. Couple this with…
- Lawsuits: Customers who’ve had their payment data compromised may try to go after you by way of lawsuits. They are expensive and time consuming. Even worse, failure to comply to PCI standards can result in lawsuits from credit card companies, and, in some cases, even the government.
- Tarnished Brand Image: Besides unhappy customers voicing their displeasure on the internet post-data breach, the press may likely pick up the news and make it known to the world. Negative press is a nightmare to reverse.
If your business is hit by a data breach and it involves customer payment information due to PCI noncompliance, any or all of the above consequences can burn your business straight to the ground. The sad and shocking truth is that while many businesses are initially PCI compliant, only 11% of them maintain compliance between assessments.
PCI compliance doesn’t have to be difficult. A little work up front will pay dividends. The SiteLock® PCI Compliance solution helps businesses comply in minutes with its simplified questionnaires, avoid fees with easy reporting tools and keeps customer data safe with the PCI-certified TrueShield web application firewall. To learn more about SiteLock PCI Compliance for your business, click here.