If you process card payments, you must be PCI DSS compliant. PCI DSS (Payment Card Industry Data Security Standard) is a program created by the leading card networks to guarantee the security of customer’s confidential card data. Neglecting compliance can land your business in serious trouble.
PCI DSS non-compliance is surprisingly common. According to Verizon’s most recent Payment Security Report, most companies have failed to achieve full compliance in the last 10 years, with just two exceptions in 2016 and 2017, when 55.4% and 52.5% of businesses were fully compliant respectively.
Where Does PCI DSS Apply?
If your business processes card payments or handles financial information, it must comply with PCI DSS. This means that if financial information is entered, stored, or transmitted through your website, you must ensure that your business is PCI DSS compliant. While the requirements are the same for all businesses, the methods for validating compliance depend on your average annual volume of payment card transactions:
There are four levels, which break down as follows:
Level 1
- More than 6,000,000 Visa, MasterCard or Discover transactions per year.
- More than 2,500,000 American Express transactions per year.
Level 2
- 1,000,001 – 6,000,000 Visa, MasterCard or Discover transactions per year.
- 50,001 – 2,500,000 American Express transactions per year.
Level 3
- 20,001 – 1,000,000 Visa, MasterCard or Discover transactions per year.
- Fewer than 50,000 American Express transactions per year.
Level 4
- Fewer than 20,000 Visa, MasterCard or Discover transactions per year.
Direct Consequences of PCI DSS Non-Compliance
Non-compliance penalties can range from $5,000 to $100,000 per month (roughly £4,000 to £80,000 in GBP). The specific amount is decided based on several factors, including the size and nature of your business, and the extent of your non-compliance.
The fines for non-compliance are commonly divided into four categories:
- One to three months of non-compliance: Fines can range from $5,000 to %10,000 per month depending on transaction volume.
- Four to six months of non-compliance: fines range from $25,000 to $50,000 per month.
- Seven or more months of non-compliance: fines range from $50,000 to $ per month.
Infringement consequences
Non-compliance with PCI DSS can result in direct infringement consequences. If your company experiences a breach and cardholder information is compromised, several penalties may be imposed, including but not limited to:
- Payment of $50 to $90 per cardholder whose information has been compromised.
- Termination of the relationship between you and your bank/payment processor.
- Increased rates charged by payment processors and banks.
- Costs of forensic investigation to determine the result of the breach.
- Compensation for customers whose data has been compromised.
It is important to understand that while PCI DSS helps reduce the risk of data breaches, it does not guarantee 100% protection against them. If your company is fully compliant and experiences a data breach, you may receive lighter penalties from credit card companies, but you will still have to face the consequences of the breach.
The Hidden Costs of PCI Noncompliance
It’s important to note that direct penalties imposed by payment processors are not the only consequences of noncompliance with the PCI requirements. The biggest threats come from the cyber crime itself, such as theft, fraud, and reputational damage. Loss of trust among customers, partners, and stakeholders can lead to decreased business opportunities and long-term damage to brand equity. Operational disruptions may also necessitate costly remediation efforts to restore systems and processes to full functionality.
According to a study by IBM and Ponemon Institute on data breaches:
- The average cost of a data breach to a company worldwide is $3.86 million
- In the global healthcare industry, a data breach costs $7.13 million on average
- For companies based in the US, the average cost of a data breach is $8.64 million
- On average, it takes 280 days to identify and contain a breach across all companies.
Furthermore, non-compliance can result in your company being placed on the Visa/Mastercard Terminated Merchant File (TMF), which can have significant reputational impacts on your ability to do business with banks, merchants, and other institutions. It remains on your record for at least five years.
By not complying with PCI DSS, you are introducing your organisation to some serious risks, including financial losses, legal liabilities, and reputational damage. By prioritising cybersecurity and investing in compliance measures, you can protect your business and your customers from the devastating consequences of data breaches and regulatory violations. Proactive adherence to PCI DSS standards is not only an obligation but also a fundamental responsibility for a modern business.
Your customers trust you to protect their information. Don’t let them down. Contact OmniCyber Security today to get started with your PCI DSS compliance.
