No doubt that as a merchant, you’ve heard plenty about the Payment Card IndustryData Security Standard (PCI DSS)—the set of rules designed by the credit card brands to enforce card data security. These rules—which apply to every business that collects, processes, and/or transmits card data—are industry rules rather than laws. However, we at E-Complish believe every merchant should achieve and maintain what is known as “PCI compliance.” Here’s why.
PCI-compliant businesses that experience a data breach are subject to significant fines levied by card brands. By most estimates, fines for lack of PCI compliance can range from $5,000 to $10,000 per month, depending on factors like the size of the business and the duration and degree of non-compliance. These fines can be assessed monthly and may increase over time until compliance has been attained.
Beyond fines for non-compliance, there are forensic investigation fees ($5,000 to $50,000); on-site, post-breach qualified security assessor(QSA) assessment ($20,000 to $100,000), credit monitoring for affected individuals ($10 to $30 per card); card
Additionally, merchants’ ability to accept credit card payments
So Many Threats
Malware threats, remote access attacks, social engineering—hackers and thieves perpetrate a myriad of threats to your business data, and computers, networks, and servers must all be protected from these threats. Following the PCI DSS to get the job done is as important as implementing physical security measures for your business.
Customer confidence—or a lack of it—has a bearing on business’ success. If customers cannot be confident that a merchant is doing all it can to keep their data safe, they will probably defect to a competitor, impacting the merchant’s bottom line. In fact, according to a survey conducted by Harris Interactive, more than 60 percent of U.S. adults would not return to a business after a data breach. You don’t want that business to be yours. Becoming PCI compliant, and remaining that way, instills confidence among your customers because it signals that you are serious about data security and are doing everything you can to keep their data out of the wrong hands.
Customers that suffer as a result of a merchant’s data breach have the right to file a lawsuit against that merchant, as do other organizations and entities. The outcome of such a lawsuit will likely pack a financial wallop, especially if customers were falsely assured that the merchant’s systems were secure. Consider this: The Wyndham hotel chain experienced three data breaches. After the third such incident, the Federal Trade Commission sued Wyndham because following each breach, the company falsely declared that its systems were secure. Although the lawsuit ended in a settlement, it does illustrate the legal backlash that may come from a databreach—one that could have been prevented through PCI compliance.
As mentioned above, any business that collects, processes, and/or transmits card data should be a PCI-compliant business—and that includes us. Next month, E-Complish will have news about its own PCI compliance. We’re always paying attention to it—and so should you.