8 min read

What Is the cost of PCI non-compliance?

Featured Image

The emergence of most new industries and technologies brings with it an urgent requirement for regulation. Inventors, pioneers and disruptors create brave new worlds but someone else has to impose order on the chaos that results. Take the example of the automobile. In the UK an act of parliament - the Motor Car Act 1903 - was required to introduce drivers' licences. All these did was identify vehicles and their drivers. It took years for a serious system of oversight to develop. The driving test was not offered until 1934 and even then it was voluntary for the first year.

Inevitably, legislation and regulation lags behind innovation. In the payment card industry, a post-war invention, the same story has played out. Throughout its first few decades, very little external control existed and it was largely the nascent ecommerce industry in the 1990s which alerted the payment card companies to the hugely increased dangers of theft and fraud, perpetrated by technologically skilled criminals. Suddenly personal financial information was flooding the internet, low-hanging fruit for clever opportunists.

Before PCI DSS

Visa was the first of the majors to construct a set of security standards, the Cardholder Information Security Program. Announced in 1999 and implemented in 2001, it was heralded as a measure that would "protect Visa cardholder data by ensuring clients, merchants, and service providers maintain the highest information security standard."

Mastercard, American Express and others soon followed but the result was predictably confusing. Merchants who accepted most or all of the major credit card brands were subject to a scattershot regulatory regime consisting of several different security programs. These programs were not necessarily in conflict with each other but they did make compliance with the demands of all companies extremely complicated. Furthermore, mismatches between provisions left gaps that criminals were quick to spot and exploit.

The arrival of PCI DSS

The founders of the PCI were American Express, Discover, JCB International. Mastercard and Visa. In 2004, they got together to develop the first universal set of industry security standards and in December 2004, PCI DSS 1.0 came into effect. All merchants accepting payment by credit card and all payment processing companies were obliged to comply. The standard did not have the force of law, but any business that did not comply was effectively frozen out.

In 2006, the PCI Security Standards Council was established to oversee the future content and enforcement of the standards. In the same year, PCI DSS 1.1 superseded 1.0, adding a requirement to review all online applications and put in place firewalls. Version 2.0 appeared in 2010 to streamline the assessment procedure. Version 3.0 in 2015 placed specific emphasis on the security education of employees in companies accepting card payments, more flexibility in methods of authentication and a focus on shared responsibility in a time of multiple third-party touchpoints.

In 2018, Version 3.2.1 introduced five new requirements relating to multi-factor authentication, the migration of Secure Sockets Layer (SSL) and early Transport Layer Security (TLS). 2022 sees the release of Version 4.0, which recasts security as a continuous process and promotes flexibility in achieving the goals of the standard.

The benefits of PCI DSS compliance

The purpose of the standard is to protect the data entrusted to you by your customers. Security is a common concern to people who buy online so compliance is reassuring to them. However, what is not so often appreciated is the extent to which a business also benefits from these stringent security requirements. It is not only your customers' data which could be at risk, it is also that of your employees, partners, suppliers and of your business itself. Once a hacker breaches your defences, there is no way of knowing how far they will get and what they will find.

As a business responsible for holding data safely, you could find yourself on the end of some fairly aggressive lawsuits in this increasingly litigious age. Compliance means that not only are you using the best security measures so far developed, but you are also giving your company a legal defence against court action because by complying with the standard, you are taking every reasonable measure to protect sensitive and valuable data. It is also extremely unlikely that you will face the potentially heavy fines that are available if breaches happen despite your adherence to all the guidelines.

PCI DSS recognises that not all businesses and organisations represent equal levels of risk or have the resources to implement the full security infrastructure. The industry, therefore, recognises four levels:

  • Level 1. Merchants processing over 6 million card transactions every year
  • Level 2. Merchants processing 1 to 6 million every year
  • Level 3. Merchants processing 20,000 to 1 million every year
  • Level 4. Merchants processing fewer than 20,000 every year

A large part of the compliance regime involves self-certification through completing questionnaires. What tends to happen after a breach is that the circumstances are investigated and if the breach can be traced to a failure to implement measures that the company claimed in its questionnaire to have met, sanctions will be imposed. It is also likely that merchants will have to submit to - and pay for - an assessment of their security arrangements to make sure the shortcomings that enabled the breach have been dealt with.

What could non-compliance cost you?

If you collect, process, transmit or store personal credit or debit card details, there is no way of escaping the PCI DSS regime. In order to take payments using the services of any of the card companies, you will have to sign a contract in which you agree to accept fines and penalties for non-compliance. There have been some troubling court cases in which merchants have claimed they were unfairly fined and in some cases they have won. However, the vast majority of businesses avoid fines simply by following the requirements of the standard to the letter.

Some companies may be tempted to make a calculated risk assessment of the costs of compliance compared to the chances of receiving fines. This is a dangerous position to take because the consequence of PCI DSS non-compliance can be devastating, possible even fatal.

What is a PCI non-compliance fee?

If a breach occurs for which you are responsible through failure to comply and consumer data has been endangered, then you can be fined £79 per customer. Multiply that by an entire database and the scale of your potential losses becomes serious.

Fines can be imposed by your acquiring bank and on the whole their size is at the bank's discretion. They could be for tens of thousands of pounds if you're lucky, or hundreds of thousands and more if you're not.

Recurring charges are not mentioned as often as fines but can be just as punishing. After a breach, it is possible that the bank will introduce permanent additional charges payable on every transaction. This can severely disrupt your budget and make it very expensive to continue trading.

Insurance premiums could very easily increase as the result of a breach. Your insurance company will probably demand high payments to secure sufficient cover in the event of further breaches. They might also judge that your entire network is essentially insecure and vulnerable to other kinds of attack. Your premiums and any future claims could be negatively affected.

Another consequence which could be even more damaging to your business is the possibility that your bank or payment provider will terminate your relationship. If you lose your payment provider as a result of security weaknesses, then it will be almost impossible to find an alternative. That would effectively end your business.

Reputational damage

Consumers have always been cautious, if not suspicious, in embracing online activities which require them to entrust their financial details to the internet. They can't see locks and keys, they are not able to observe security procedures. For a long time people - especially the older generation - were hesitant to adopt internet banking.

Fear of having card or bank details stolen is one of the main sources of consumer resistance to online shopping of any kind. A company that can demonstrate robust security measures and a solid track record can overcome this resistance. Even leaving aside the moral responsibility to safeguard customer information, it is essential for any business wishing to trade online to assign paramount importance to the safe handling and storage of data. Customers could lose substantial sums of money and even experience identity theft which in some ways is even more serious.

If a customer suffers loss of any kind as a result of a breach in your security, and it is a breach which would not have occurred had your company been PCI DSS compliant, then this could seriously damage the reputation of your business. You might feel that non-compliance doesn't make for a great story but in these days of social media and online review sites, news of your breach could circulate widely and rapidly. Not only could that discourage past customers from returning but it could make it very difficult to attract new ones. Once the trust is broken it is much harder to regain it.

The knock-on effect of this is not limited to reduced sales revenue. If your company has shareholders it may cause an immediate drop in the share price. Not only does the value of your company fall in the eyes of the market but you might come under unwelcome pressure from your shareholders to take drastic remedial action. Then there is the possibility of legal action from customers who have suffered loss. One successful lawsuit can lead to a slew of others. Is this avalanche of consequences really worth risking?

How PCI DSS non-compliance relates to other regulations

There are indirect consequences of non-compliance to be considered as well. PCI DSS is just one of several globally applicable regulations affecting the use of personal financial data. There is a great deal of overlap between them which makes compliance with PCI DSS a very good starting point for meeting the requirements of these other measures. If you're in breach of PCI DSS, it's almost certain you'll be in breach elsewhere. These are just the main regulations that share the same ground as PCI DSS.

General Data Protection Regulation

Credit card data is classed as Personally Identifiable Information (PII) and therefore its storage, transmission and handling is governed by the GDPR. This is an EU regulation but because it covers every one of the 450 million residents of the EU it applies automatically to any business trading within the bloc. A breach of PCI compliance is a breach of the GDPR and can be punished.

However, while penalties for PCI DSS breaches are discretionary, GDPR lays them down explicitly. A fine can be as high as £17 million or 4% of the global turnover of a business and these are not just threats. Marriott was fined £18.4 million and British Airways £20 million.

Canadian Regulation

Canada's equivalent to GDPR is the Personal Information Protection and Electronic Documents Act (PIPEDA) and provides for fines up to CAD$100,000.

Australian Regulation

For data breaches, the Australian Privacy Act now allows the imposition of fines up to AU$10 million or 10% of a company's annual domestic turnover.

US Regulation

The Californian Consumer Privacy Act (CCPA) specifically protects residents of California, which is technically the world's fifth-largest economy. The success of the act is encouraging many other states to adopt similar measures.

With data protection receiving such attention in most of the economies of the western world, through measures that are by their nature and application global, compliance is essential. As we've mentioned, all the laws and regulations are designed to achieve the same results and contain very similar provisions. If your business is not PCI DSS compliant then it is impossible for it to meet the demands of these other regimes.

The simple solution

We haven't gone into the detailed requirements of compliance here, but they are complex, exacting and demand an investment of time, personnel and resources. Fortunately, it is possible to obtain what is in effect an exemption for the obligations laid down by PCI DSS. If you use the services of a payment provider such as Paytia, you are effectively contracting out your responsibilities because at no point are you collecting, handling, storing, processing or transmitting the data of your customers. The payment provider does all of this for you with their own built-in compliance. In this way, you can satisfy all the demands of PCI DSS and avoid the hazards of non-compliance.