PCI DSS. If your company deals with credit cards and you don’t know what those letters stand for, you should. While the public relations nightmares, response costs and expensive class action defense fees associated with major data breaches garner most of the headlines in the mainstream media, many companies that are victims of data breaches also face significant compliance costs, penalties and fines as a result of contractual relationships with credit card companies, credit card processors and banks. These all stem from a company’s failure to comply with PCI DSS.
So what is PCI DSS? It’s the Payment Card Industry Data Security Standard, which is the proprietary information security standard for organizations that handle branded credit cards from the major card brands, including Visa, MasterCard, American Express and Discover. PCI DSS compliance is an ongoing process and is far too complicated to discuss in detail here. For an overview of PCI DSS and the complete requirements, you can go here. But for our purposes, we will just focus on the risks of not complying.
To be sure, PCI DSS compliance is not easy—even for companies with the best of intentions. According to Verizon’s 2015 PCI Compliance Report, which was released last week, 80 percent of businesses fail their interim PCI compliance assessment. Even when companies are able to achieve compliance, only 29 percent manage to remain fully compliant less than a year after being awarded a certificate of compliance. The report shows that there are three primary areas that fall out of compliance: (1) testing security systems regularly, (2) maintaining secure systems and (3) protecting stored data.
Despite the difficulties, companies should strive to comply with PCI DSS, because failure to comply can have significant consequences. First, noncompliance increases the likelihood that a breach will occur. PCI DSS was designed to ensure that systems are as secure as possible. The Verizon report shows that 69 percent of consumers are less inclined to do business with a company that has been breached. Second, failure to comply will damage a company’s reputation with business partners—in fact, many industry partners will not work with companies that are not PCI DSS compliant. Finally, when companies suffering a breach are not PCI DSS compliant, credit card companies, credit card processors and banks often will seek to impose draconian contractual requirements upon them, including a mandatory investigation by a forensic investigator with loyalties to the credit card company and noncompliance fees that often start at $100,000 or more.
The bottom line is that PCI DSS compliance should be part of your corporate vocabulary. Although it is a difficult standard to maintain, the benefits are worth it.