Why Merchants Need to Get Serious About PCI Compliance

No doubt that as a merchant, you’ve heard plenty about the Payment Card IndustryData Security Standard (PCI DSS)—the set of rules designed by the credit card brands to enforce card data security.

These rules—which apply to every business that collects, processes, and/or transmits card data—are industry rules rather than laws. However, we at E-Complish believe every merchant should achieve and maintain what is known as “PCI compliance.” Here’s why.

Money Matters

PCI-compliant businesses that experience a data breach are subject to significant fines levied by card brands. By most estimates, fines for lack of PCI compliance can range from $5,000 to $10,000 per month, depending on factors like the size of the business and the duration and degree of non-compliance. These fines can be assessed monthly and may increase over time until compliance has been attained.

Beyond fines for non-compliance, there are forensic investigation fees ($5,000 to $50,000); on-site, post-breach qualified security assessor(QSA) assessment ($20,000 to $100,000), credit monitoring for affected individuals ($10 to $30 per card); card re-issuance for affected individuals ($3 to $10 per card); breach notification costs ($2,000 to more than $5,000); and technology repairs ($10,000). This doesn’t even take into account increases in monthly card processing fees (assessed by card brands), legal fees, and civil judgments.

Additionally, merchants’ ability to accept credit card payments may be revoked by the card brands if they continue to avoid achieving PCI compliance following a data breach, resulting in a loss of business when customers do not want to pay cash for goods and services. The card brands may also assess a separate penalty against merchants fora data breach, even if they were PCI-compliant when the breach occurred. (The card brands do not publish these fines, but they are higher for businesses that were not in compliance with the PCI DSS when they were hit with a data breach).

So Many Threats

Malware threats, remote access attacks, social engineering—hackers and thieves perpetrate a myriad of threats to your business data, and computers, networks, and servers must all be protected from these threats. Following the PCI DSS to get the job done is as important as implementing physical security measures for your business.

Customer Confidence

Customer confidence—or a lack of it—has a bearing on business success. If customers cannot be confident that a merchant is doing all it can to keep their data safe, they will probably defect to a competitor, impacting the merchant’s bottom line. In fact, according to a survey conducted by Harris Interactive, more than 60 percent of U.S. adults would not return to a business after a data breach. You don’t want that business to be yours. Becoming PCI compliant, and remaining that way, instills confidence among your customers because it signals that you are serious about data security and are doing everything you can to keep their data out of the wrong hands.

Legal Matters

Customers that suffer as a result of a merchant’s data breach have the right to file a lawsuit against that merchant, as do other organizations and entities. The outcome of such a lawsuit will likely pack a financial wallop, especially if customers were falsely assured that the merchant’s systems were secure. Consider this: The Wyndham hotel chain experienced three data breaches. After the third such incident, the Federal Trade Commission sued Wyndham because following each breach, the company falsely declared that its systems were secure. Although the lawsuit ended in a settlement, it does illustrate the legal backlash that may come from a databreach—one that could have been prevented through PCI compliance.

As mentioned above, any business that collects, processes, and/or transmits card data should be a PCI-compliant business—and that includes us. Next month, E-Complish will have news about its own PCI compliance. We’re always paying attention to it—and so should you.