Who needs to be PCI Compliant?
If you (or any business) accepts credit cards then you are required to be PCI compliant and adhere to Payment Card Industry Data Security Standards (PCI DSS) in order to protect against fraud and data breaches which can have a lasting damaging impact on your company if you ignore them.
The Payment Card Industry Security Standards Council (PCI SSC) - who set the standards - was created in 2004 by all the major payment card brands, such as Visa, MasterCard, American Express, Discover, and JCB to ensure all merchants who accept, process, store, or transmit credit card information do so securely.
The number of transactions processed by a company per year will determine the level of validation and documentation required. The levels range from 1, being larger companies who process over six million transactions annually to 4, a business that processes less than 20,000 transactions online over a 12 month period.
If you need to read more about what PCI DSS is see our “What is PCI?” article and if you need more of an understanding of who needs to be compliant head to our PCI: Who Is Required To Be Compliant page.
What Are The Risks To Your Business If You Don’t Comply?
Any business which fails to comply with PCI regulations runs the risks of a data breach which in turn will have a truly devastating impact on your business leading to huge fines and penalties, reputational damages leading to a loss of customers and even worse the risk of your business closing down.
Substantial fines and penalties
No matter the size of your business, you may be liable for substantial non-compliance fines if you are found to be negligent. This may then see you potentially losing your merchant account and not being able to take credit card payments. (See the below section for further details on fines and penalties.)
Legal costs, settlements and judgements
If your customer’s data has been compromised they may then file a lawsuit which can be extremely expensive. If you have failed to comply with PCI standards then that can also result in credit card companies filing legal action which can be even more costly.
A data breach can significantly jeopardise your company's reputation and customer loyalty due to the lack of security over credit card information. Customers are unlikely to trust your brand if you’ve been hit by a breach especially if there has been negative press surrounding it.
Going out of business
If you’re found to have suffered a breach that PCI DSS compliance would have made preventable, again the damage to your reputation is likely to cause an immediate drop in sales. The lack of sales together with the extremely high fines, penalties and potential legal costs can be hard to recover from.
If you do suffer a data breach then this could be catastrophic for your businesses and as already stated can potentially lead to it being shut down.
PCI DSS Fines for Non Compliance
If you are found to be non PCI compliant then these fines can vary from $5,000 to $100,000 per month depending on the size of your company and the scale of non compliance. Be aware that any fines the bank incurs can also be passed onto your business via high transaction fees or service charges.
Cost of reissuing new payment cards
For every card that is compromised a replacement card will need to be sent out to each customer. The costs can range from £2-5 per card or more. To put it in context, thousands of cards are compromised when a breach happens at a small business, but potentially millions are affected at larger companies.
As mentioned above a customer or credit card company may decide to file a lawsuit against you if it’s been identified that you have failed to comply with PCI standards. These costs can mount up.
Audits and Investigations
Forensic investigations or audits will need to take place to establish the cause of the data breach and prevent it from happening again. These can be extremely costly to your business
Fraud Prevention Technologies
In order to prevent a breach from taking place again card brands will insist you invest in programs and technologies which again can be costly.
Being PCI DSS compliant is an absolute requirement for a business. As mentioned in this article it helps provide security for your customers and can save costs and reduce risks in the long term.
Failure to comply with PCI DSS means you will face huge financial penalties, damage to your company’s reputation, a loss of customer trust which in turn will lead to a drop in sales and potentially see your company cease trading.
So make sure you are up to date with regulations, reporting and ecommerce fraud prevention tools and technologies to reduce, what could be, a severe and costly risk of a data security breach.