5 Consequences of PCI Noncompliance
- Any organization that interacts with cardholder data must be PCI compliant.
- Companies that don’t meet PCI DSS requirements can expect fines from payment processors.
- PCI DSS noncompliance also dramatically increases the likelihood, and consequences, of a data breach.
What is PCI DSS Compliance?
The PCI DSS (Payment Card Industry Data Security Standard) is a standard that was created by major card brands to standardize the requirements for securing cardholder information. The 12 PCI DSS standards create a complex compliance framework enforced by the PCI Security Standards Council. PCI compliance is determined by a yearly assessment of cybersecurity practices surrounding cardholder information.
Every organization that handles cardholder data must be PCI Compliant. While the PCI DSS is not a law, and is not enforced by the government, PCI Compliance is strongly enforced by payment networks and the PCI Security Standards Council. There are many consequences to not being PCI compliant, and we’ll look at the top 5 today.
PCI DSS Penalties for Noncompliance
Fines and Penalties
Fines from payment processors can cause a huge financial burden for companies that are not compliant with PCI DSS. Fines will vary based on the size of the business, and scope of the breach. Penalties will usually range from $5,000 to $100,000 a month until the issue is fixed and a company attains compliance.
Fines of $100,000 a month are more likely for large Level 1 companies that process over 6 million card transactions a year and have been noncompliant for several months. Smaller businesses, like Level 4 businesses that process under 20,000 card transactions a year, will pay fines closer to $5,000. PCI DSS compliance levels are determined by the amount of card transactions a company processes. Monthly fines increase based on the size of the company and the time that the company has spent out of compliance.
Penalties are usually transferred from the card brand to the payment processor, then from the payment processor to the company that violated PCI DSS. Because of this, penalties will vary between payment processors. Some payment processors may even charge additional fines on top of the penalties they must pay to the card brand.
All of these fines exist even if your company’s noncompliance does not end in a data breach. However, non-compliance creates security issues that are easily exploited by hackers looking to steal cardholder data. Noncompliance increases the likelihood of a data breach, especially if your company is not compliant for a long period of time. Noncompliance can also affect the aftermath of a data breach, which is what we’ll look at next.
Data Breach Compensation Costs
If your company suffers a data breach while noncompliant, your company will be responsible for compensation costs alongside other potential fines. Compensation costs are the costs associated with helping customers whose data has been compromised. This can include free credit card monitoring for customers, identity theft insurance, and even some service fee reimbursements. Cost will also likely include card replacements, which can range from $3-$5 per customer and will add up quickly when a large number of cards are compromised.
While PCI DSS does not guarantee safety from data breaches, a company that suffers a breach while PCI Compliant is less likely to suffer a breach and may have the associated fines lowered or eliminated. In the event of a breach, compliance still holds weight and shows that your company has not been negligent with PCI DSS security requirements.
If PCI DSS noncompliance leads to a data breach, customers may choose to take legal action. Lawsuits, or multiple lawsuits, are possible in any data breach. However, if you are not PCI compliant, customers and card brands can easily show your company’s negligence. If your business faces litigation on multiple fronts, whether from multiple customers or card brands, legal costs alone can be enough to cripple your company.
Endangering a customer’s data not only comes with fines and lawsuits, but it can also cause irreversible damage to your company’s reputation. Once your company has experienced a data breach, the customers affected may never have the same level of trust in your company again. Even unaffected customers may lose trust in your company, reasonably worried that their information may be compromised in the future.
Your company’s damaged reputation will also incentivize hackers by revealing that your company has been operating below standard. Not being PCI compliant is a huge data breach risk. If not fixed quickly, these weaknesses in your company’s security can be leveraged by hackers, leading to a data breach, which only increases the risk of more attacks.
Not only does PCI noncompliance come with financial costs, but any damage to your brand’s reputation can dramatically decrease revenue generation. In the case of a data breach, your company will have to juggle both the cost of the breach and the decreased revenue from scared or unsatisfied customers.
Customer trust cannot be resecured easily once it has been broken. No matter how well your company responds to a data breach, some customers may never return. Others may be hesitant, waiting to see what actions your company takes to resolve the issue. Maintaining PCI compliance is crucial to prevent data breaches, but also to win trust once a breach has taken place. The ability to show customers that you are compliant with PCI standards won’t fix a breach, but it can be a step in the right direction.
How to Prevent PCI Noncompliance
PCI DSS was created to protect cardholder data, and not complying with their recommendations means your company is operating below the bare minimum of security efforts. While data breaches are not a guaranteed outcome of PCI noncompliance, not adhering to PCI standards means that there are gaps in security that hackers can exploit. While no company wants to recieve fines for PCI noncompliance, the costs of a data breach can be far worse.
So how do you attain PCI compliance?
PCI compliance can be a lengthy, and expensive process. However, companies that store their cardholder data outside of your internal systems, you can dramatically reduce the scope of your PCI audits and easily attain compliance. Check out TokenEx tokens to see how you can secure your cardholder data in a way that reduces your compliance burden and eliminates the risk of cardholder data exposure in the event of a breach.
Not all tokenization providers are equal.
Download our free ebook to learn more about finding a tokenization solution that meets your needs, or contact us to learn more about tokenization from one of our experts.