In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard. However, this week we will look at what the benefits are of achieving and maintaining compliance….aside from meeting your contractual obligations!
As a rule, all organisations that store, process or transmit credit card information are obliged to comply with PCI-DSS along with companies that provide payment services on behalf of their clients who store, process or transmit credit card information. So, let’s start by reverting to first principles. Why comply with the PCI DSS? In essence it’s the most effective method of reducing the likelihood and impact of a payment card data . If your organisation is non-compliant and involved in a data breach you could feel the consequences in a range of different ways including loss of revenue, fines, revocation, brand damage and possible litigation.
And what are the benefits? The primary benefits of achieving compliance are helping you avoid the following:
Damaged reputation
Reputational damage is big one and can have a lasting, and potentially irreparable, impact. Endangering your clients’ payment card information can not only result in financial penalties but it can damage your brand and lead to a breakdown in the trust it has taken you years to build. Once your security approach has been compromised it will be extremely difficult for clients to start believing and trusting you again.
Revenue loss
A large-scale breach can severely decrease your revenue due to a loss of clients following that incident. To reinforce this let me give you an example, one of the biggest recent breaches in 2013 involved the Target Corporation which was fined 18.5 million USD for an infringement that affected more than 41 million consumers and resulted in a 440 million USD loss of revenue in the first quarter following the breach.
Losing the ability to accept payment card transactions
On top of a loss of revenue, there is a strong likelihood of a hefty fine from the payment card brands. But even more damaging than fines is the prospect of having the right to process payment card transactions revoked by the card brands, such an action would make it nearly impossible to continue trading.
Legal action
Litigation is a likely outcome if various cardholder information has been endangered. Back in 2007, TJX had to pay 40.9 million USD for a data breach that exposed more than 100 million bank cards to risk. In 2014, approximately 1.1 million clients of Neiman Marcus were affected by another data breach that was only detected after a 3-month delay.
Aftermath
According to the 2018 Cost of a Data Breach Study by Ponemon, the cost of a data breach involving less than 100,000 records is 3.86 million USD – a 6.4 percent increase from 2017. Furthermore, the cost of a ‘mega-breach’ (1M – 50M records lost), is between 40 – 350 million USD.
Conclusion
It seems clear cut that any money spent on achieving and maintaining PCI compliance is minimal compared to the potential costs and fines and devastating ‘domino effects’ associated with data a breach, particularly if there is an element of non-compliance with the PCI DSS. By implementing and maintaining a PCI DSS culture within your organisation, you can take a huge step to mitigating your exposure.
How URM Can Help
If you are looking to assess and measure your current cardholder processing activities and practices against the PCI DSS, URM can assist by delivering a PCI DSS gap analysis. URM has found that there is significant confusion regarding PCI DSS, e.g. defining status (merchants or service providers), how to validate compliance (through QSAs or self-assessment questionnaires (SAQs)), how to reduce the burden of compliance and what exactly is expected in terms of implementation.
Want to Learn More?
If you are new to PCI DSS and are looking to gain more awareness of the requirements of the Standard, URM, under its PCI Security Insights initiative, is delivering a range of webinars which provide real-world insights on pitfalls to avoid and top tips for ensuring success with PCI DSS. The content of the webinars is based on the cumulative, real-world experiences of URM QSAs and consultants who have worked in PCI compliant organisations and have helped a wide range of organisations achieve compliance with the Standard.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we are often asked by organisations which process card payments....
After several years wait, and to surprisingly little fanfare, the PCI SSC released the new version of the PCI Data Security Standard (DSS).
We address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.