For two decades, the Payment Card Industry Data Security Standard (PCI DSS) has been the only show in town when it comes to regulating cardholder data. Created by the five big card companies (Visa, Mastercard, Discover, JCB and American Express) in 2004, it aims to enforce compliance through a kind of carrot-and-stick approach. That is, follow the rules and your organization will be able to continue processing card payments as usual. But fail to comply, and major fines could be headed your way.
The potential costs involved in non-compliance are intended to make the choice a no-brainer for most businesses.
Why PCI DSS?
PCI DSS applies to any organization that stores, processes or transmits cardholder data – which is almost any organization today. Although devised in an attempt to improve data security following some high-profile corporate breaches of card data, such breaches are still with us:
- In 2020, Warner Music Group (WMG) suffered a three-month long digital skimming attack, where customer card numbers and personal details were stolen from its e-commerce sites via an external service provider
- In 2008, Heartland Payment Systems suffered one of the worst data breaches of its kind, when an estimated 100m+ cards were compromised
- A breach at Equifax in 2017 led to the compromise of financial and personal data on around 147 million people
The latest iteration (version 4.0) of PCI DSS introduces a series of new technical and operational requirements to bring it up to date with modern technology, offer companies more flexibility, and try to ensure they treat compliance/security as a continuous endeavor rather than a one-off tick-box exercise.
They are treated slightly differently depending on the number of transactions processed per year, with stricter compliance requirements (and penalties) for those at the upper end:
No. of Card transactions per year:
Level 1: Over 6 million.
Level 2: 1-6 million.
Level 3: 20,000 to 1 million.
Level 4: Fewer than 20,000 transactions per year.
The cost of non-compliance
Organizations that fail to comply with PCI DSS will face potentially severe fines. Often, a serious data breach is the event that prompts an investigation into compliance. Penalties are calculated based on how long it takes to fix:
- During the first three months, monthly fees for non-compliance are $5,000-$10,000 depending on card volume
- From 4-6 months, the fees increase to $25,000-$50,000 per month
- After the seventh month, fees rise to $50,000-$100,000 monthly
A serious breach of the cardholder data environment (CDE) would likely also incur a fee of around $50-$90 per affected customer. However, this doesn’t preclude those customers launching their own bid for compensation via the courts.
It should also be clarified that the above financial penalties are calculated and levied by the payment card brands on acquiring (merchant) banks. The latter then pass on the charges to erring merchant customers. They may also add other non-compliance charges, compensation fees or costs incurred such as for digital forensic investigations.
Other incidents which may lead to PCI DSS fines are:
- Failing to report a breach within a specified time
- Failing to use a PCI DSS-compliant service provider
Then there are indirect costs to consider, such as:
- Cardholder class action suits
- Reputational damage
- Business disruption including lost productivity
- Remediation and investigation costs
- Other regulatory fines from a breach (eg GDPR)
Data-centric security
The good news is that card brands may lower or completely eliminate any fines if a merchant is breached but found to be PCI DSS compliant. That puts the pressure on compliance teams to ensure they meet the rigorous requirements of the standard. Data-centric security should be a key foundational step for any program.
Comforte’s Data Security Platform automatically and continuously discovers and classifies cardholder data, wherever it resides, then applies strong data protection in line with policy. Crucially, we offer tokenization as a data protection method. Tokenization can help to reduce the scope and cost of PCI DSS compliance by removing cardholder data from the CDE.
By removing the footprint of “in-scope” systems, organizations can streamline compliance and reduce the impact of data breaches.
