Why Should Maintaining PCI Compliance Become a Habit?
Maintaining PCI compliance is a continual project.
Following PCI compliance (PCI-DSS) regulations is an ongoing effort that needs to be continually evaluated so that you’re protecting your organization and customers’ information.
Think of maintaining PCI compliance like a habit. Everyone struggles with creating and sticking with habits – whether it’s drinking enough water each day, budgeting and tracking expenses, blocking out time to regularly exercise. It takes time to make certain activities a daily part of a routine. However, once it becomes a habit, then you don’t typically view it as an inconvenience because it’s become second nature.
So why should following PCI compliance guidelines become a habit? If it’s treated as more of an afterthought, then you run the risk of leaving your company and customers vulnerable to a breach which can result in a loss of revenue and damage your reputation.
In a previous post, we covered the basics of PCI compliance so that you’d be more familiar with what it means the next time you see or hear the words.
This time, let’s dive into what the PCI-DSS requirements are, why you should be compliant, and what happens if your organization decides to be non-compliant.
What Are the 12 Requirements of PCI-DSS?
PCI-DSS applies to every business that’s involved in processing cardholder data, and there are 12 high-level requirements that each one must adhere to and maintain PCI compliance.
Additionally, there are 200 sub-requirements, but not all of them may apply to your business. Some requirements can be more challenging to achieve than others.
Can You Be Fined for Not Being PCI Compliant?
The main consequence for not complying with the PCI compliance standards is a monetary fine. Fines vary depending on the circumstances. The types of fines can range from legal fees if this is a massive credit card data breach to credit monitoring fees to audit fees.
If a data breach were to occur at your business, you’ll be investigated to see if you complied at the time of the breach. Fines can range from $5,000 – $100,000 per month and additional fines can be added if other noncompliance items have occurred. One of the biggest consequences that can occur from noncompliance is a stain on the company’s reputation and brand. While the financial loss can hit a company hard, it can be harder to regain your customers’ trust in your business. Another consequence could be losing your merchant account, so you won’t be able to accept credit card payments anymore. It’s hard to imagine running a business where you don’t accept credit cards.
The best way to avoid being fined is to make compliance an ongoing process. Keep in mind that being PCI compliant doesn’t prevent data breaches though. It significantly reduces your chances of a breach because you have regulations in place, but there’s no guarantee it can’t happen.
Are Virtual Cards PCI Compliant?
Virtual cards are becoming a commonly used payment method, so it’s no surprise that questions are coming up as to whether this falls under PCI-DSS or not. Here’s what the PCI SSC notes on their website:
Articles 1285 and 1286
“PCI-DSS applies to all primary account numbers (PANs) that represent a PCI founding payment card brand (American Express, Discover, JCB, MasterCard, or Visa). This includes PANs that are only provided electronically (virtual PANs) as well as PANs that correspond to a physical payment card. Whether a one-time PAN is in scope for PCI-DSS will depend on the particular restrictions around their usage as defined by the payment brands. Entities should contact the applicable payment brand to determine how PCI-DSS applies.”
Virtual card providers are expected to adhere to PCI–DSS requirements. If you’re working with a virtual card provider, and it’s unclear if they’re following PCI guidelines for this specific payment method, then don’t hesitate to ask how PCI-DSS applies. It’s worth noting that each payment card company may have a different opinion on whether they’re in PCI scope or not. When in doubt, just ask!
Can Businesses Avoid Being PCI Compliant?
While staying PCI compliant can seem overwhelming and complicated, businesses shouldn’t deliberately ignore the rules. A common misconception is that PCI-DSS is a law that we’re expected to abide by. It’s worth reiterating that it’s a set of rules created by the PCI SSC to help promote an industry-standard when handling cardholder data and better protect organizations from a breach. Just like there are rules in other areas of our life that we’re expected to follow, think of PCI-DSS as another set of best practices worth incorporating into your business life. And when you break the rules, there are typically consequences that come with it.
Why Should You be PCI Compliant?
Improved security: By ensuring that your organization’s networks, systems, processes, and personnel are secure and customer cardholder data is protected from potential attacks, there is the knock-on effect of ensuring that other assets owned by your organization are also protected from leakage, tampering or destruction. This can include assets such as intellectual property and other types of sensitive and classified data aside from cardholder data.
Legal protection: Some U.S. states (directly or indirectly) require merchants to be PCI compliant by state law. For instance, PCI compliant entities in Nevada are protected from liability for damages in the event of a security breach, as long as the security breach wasn’t caused by gross negligence or intentional misconduct by the organization or any connected individual or entity. The legal protections provided by attaining PCI compliance are beneficial to the long-term stability and success of organizations involved in payment card processing.
Customer confidence: Achieving PCI compliance is a great way to boost customer confidence in your products and/or services, especially if you attain Level 1 compliance. This is attained by getting audited by an independent, trusted Qualified Security Assessor (QSA). Additionally, attaining Level 1 compliance allows an organization to be listed on the Visa and MasterCard registry of service providers which makes it easy for prospective customers to look up your company’s PCI compliance status.
Impact of data breaches: According to Ponemon Institute’s 2019 Cost of a Data Breach Report, the average total cost of a data breach is $3.92 million. Breaches also continue to impact businesses negatively over a long period. This includes fines, lawsuits (and subsequent legal costs), penalties, reduced sales and loss of customers to competing organizations, job losses, and other numerous repercussions. Achieving and validating Level 1 PCI compliance goes a long way in ensuring that multiple security controls and processes are put in place to protect sensitive data from compromise.
Your company needs to regularly monitor PCI-DSS so that you’re more protected from a potential data breach. Even though it takes a while to make it “business as usual,” once it does become a habit, you and the rest of your company won’t think twice about it.
Next up, we’ll dive into what PCI-DSS requirements and sub-requirements are the most difficult to achieve and how you can plan accordingly.
Interested in learning more? Check out A Definitive Guide to PCI Compliance.