Benefits of PCI DSS Compliance

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
9 Aug
2022

In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard. However, this week we will look at what the benefits are of achieving and maintaining compliance….aside from meeting your contractual obligations!

As a rule, all organisations that store, process or transmit credit card information are obliged to comply with PCI-DSS along with companies that provide payment services on behalf of their clients who store, process or transmit credit card information. So, let’s start by reverting to first principles.  Why comply with the PCI DSS? In essence it’s the most effective method of reducing the likelihood and impact of a payment card data . If your organisation is non-compliant and involved in a data breach you could feel the consequences in a range of different ways including loss of revenue, fines, revocation, brand damage and possible litigation.

And what are the benefits?  The primary benefits of achieving compliance are helping you avoid the following:

Damaged reputation

Reputational damage is big one and can have a lasting, and potentially irreparable, impact.  Endangering your clients’ payment card information can not only result in financial penalties but it can damage your brand and lead to a breakdown in the trust it has taken you years to build. Once your security approach has been compromised it will be extremely difficult for clients to start believing and trusting you again.

Revenue loss

A large-scale breach can severely decrease your revenue due to a loss of clients following that incident. To reinforce this let me give you an example, one of the biggest recent breaches in 2013 involved the Target Corporation which was fined 18.5 million USD for an infringement that affected more than 41 million consumers and resulted in a 440 million USD loss of revenue in the first quarter following the breach.

Losing the ability to accept payment card transactions

On top of a loss of revenue, there is a strong likelihood of a hefty fine from the payment card brands. But even more damaging than fines is the prospect of having the right to process payment card transactions revoked by the card brands, such an action would make it nearly impossible to continue trading.

Legal action

Litigation is a likely outcome if various cardholder information has been endangered.  Back in 2007, TJX had to pay 40.9 million USD for a data breach that exposed more than 100 million bank cards to risk.  In 2014, approximately 1.1 million clients of Neiman Marcus were affected by another data breach that was only detected after a 3-month delay.

Aftermath

According to the 2018 Cost of a Data Breach Study by Ponemon, the cost of a data breach involving less than 100,000 records is 3.86 million USD – a 6.4 percent increase from 2017.  Furthermore, the cost of a ‘mega-breach’ (1M – 50M records lost), is between 40 – 350 million USD.

Conclusion

It seems clear cut that any money spent on achieving and maintaining PCI compliance is minimal compared to the potential costs and fines and devastating ‘domino effects’ associated with data a breach, particularly if there is an element of non-compliance with the PCI DSS. By implementing and maintaining a PCI DSS culture within your organisation, you can take a huge step to mitigating your exposure.

How URM Can Help

If you are looking to assess and measure your current cardholder processing activities and practices against the PCI DSS, URM can assist by delivering a PCI DSS gap analysis. URM has found that there is significant confusion regarding PCI DSS, e.g. defining status (merchants or service providers), how to validate compliance (through QSAs or self-assessment questionnaires (SAQs)), how to reduce the burden of compliance and what exactly is expected in terms of implementation.

Want to Learn More?

If you are new to PCI DSS and are looking to gain more awareness of the requirements of the Standard, URM, under its PCI Security Insights initiative, is delivering a range of webinars which provide real-world insights on pitfalls to avoid and top tips for ensuring success with PCI DSS. The content of the webinars is based on the cumulative, real-world experiences of URM QSAs and consultants who have worked in PCI compliant organisations and have helped a wide range of organisations achieve compliance with the Standard.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
What Are the Service Provider Levels

In this blog, we turn our attention to service providers. The PCI Security Standards Council defines a service provider....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
10/11/2023
Pros and Cons of Delaying Your PCI DSS v4.0 Transition

Transitioning to PCI DSS v4.0 sooner rather than later has its advantages and disadvantages, in this article URM explores both sides of the argument.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
Benefits of PCI DSS Compliance

In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard....

Read more
It was an interesting presentation since we had the updated standard released last week. Thanks
Webinar 'Abriska 27001 Risk Assessment'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.