It’s surprising how many businesses ask this question. Sometimes the cost of meeting compliance regulation seems to outweigh the risks. There are fees associated with not meeting the payment card industry (PCI) compliance regulations, but are these fines comparable to the cost of implementing the required cybersecurity protocols?
These are questions that every business that accepts credit and debit cards as forms of payment need to address. Company owners and managers also have to consider the potential financial risks to their business if they are found to be PCI non-compliant.
In this article, we’ll cover what it means to be PCI non-compliant, along with how it can affect the business. We’ll also discuss the advantages of meeting the industry’s compliance regulations.
What is PCI
Payment Card Industry Data Security Standards (PCI-DSS) are the cybersecurity regulations merchants are required to be in compliance with if they accept credit/debit cards. The acronym is typically shortened to PCI but it still refers to the same standards.
Along with meeting the standards set down by the payment card industry, businesses are also expected to fill out an annual self-assessment questionnaire (SAQ). If the company is out of compliance, an auditor may need to be brought in to perform the assessment. Unlike the self-assessment, an audited one can be expensive.
Non-compliance fines can be accrued on a monthly basis until industry standards are met.
PCI Non-Compliance Fees
It can be confusing to business owners when it comes to PCI non-compliance fees. This primarily stems from who is charging the fees. For example, Visa and Mastercard do not impose fines for PCI non-compliance but the card processors do. Compliance requirements also vary depending on the number of annual transactions and the type of retail business.
For example, if the business does not use a payment gateway, there will be fewer compliance standards that need to be met.
This confusion can lead business owners to mistakenly believe that the non-compliance fines are being passed down to consumers in the form of interest rates and card-holder fees. This can lead to problems for the affected business.
PCI non compliance fees are not passed down to the cardholder. The business will be and is expected to pay the monthly fines until compliance standards are met. Companies can suffer in ways, rather than just financially,if their customers learn that their payment information is compromised and the business expects them to ‘eat’ the fines.
Businesses that lose the trust of the customers typically end up closing their doors.
What Are Fines for PCI Non Compliance
A mistake businesses make is presuming their credit card processor won’t pay attention if they are non-compliant. While a company might be able to go unnoticed if they don’t submit their annual SAQs, if a cybersecurity breach does occur, the fines and penalties can be substantial.
The company will also have to alert every customer that was affected by the cybersecurity breach, and this can result in a loss of trust and business. Fines for PCI non-compliance can and do vary depending on a few factors. These factors include how many credit and/or debit card transactions are processed for the business annually, and the number of PCI requirements that aren’t met.
There are four merchant levels that determine the PCI compliance standards the business will be required to meet. Level four typically applies to small businesses, while the first level covers large, often international companies. The level the company falls on is determined by how many credit/debit card transactions they process each year. Ecommerce sales, if any, also apply if a card was used to complete the purchase.
If a cybersecurity breach occurs, regardless of the company’s PCI compliance standing, the business will automatically be placed on a ‘high-risk’ Tier. The amount of the fines incurred for non-compliance will depend on the severity of the breach, along with the number of standards that aren’t met, and if a cybersecurity problem has occurred before.
Some merchants with multiple PCI compliance infractions might temporarily or permanently be suspended from processing any credit/debit cards, essentially turning them into a cash-only business.
What Are PCI Compliance Regulations
There are six goals or regulations established by the Payment Card Industry – Security Standards Council (PCI-SSC). Within the six goals are 12 specific requirements – 2 per goal – that businesses will need to meet to avoid fines for PCI non-compliance. Here’s a brief summary of the six goals and the two requirements that come with each one.
- Create and maintain secure systems and networks
Do not rely on vendors to provide effective and efficient cybersecurity measures. Part of creating and maintaining a secure network and system is for businesses to use,
- Create unique passwords
- Build their own firewalls
- Have protocols to protect cardholder data
Merchants often store consumers’ credit card and other information. If cardholder data is stored, it must be protected from cybersecurity breaches. There are several steps businesses can take to keep consumers’ private data secure.
- Keep the online payment page separate from the company’s main website.
- Take advantage of the cybersecurity features offered by a payment gateway.
- Ensure all transmitted cardholder data is encrypted.
- Continually check for weakness in the cybersecurity protocols
Once the cybersecurity protocols are implemented, continuously monitor the network for any vulnerabilities. All anti-virus software should also be regularly updated.
- Limit access to protected information
Restrict online and physical access to cardholder data to a ‘need to know’ basis. Access controls in-place must include i.d. authentication processes before authorization is granted.
- Monitor and test networks
Not all data breaches are immediately visible. Constantly monitoring and testing the network, along with tracking cardholder data can help a business spot a vulnerability or breach before it becomes a larger problem.
- Keep the security protocols information clearly visible
Don’t hide the information on current cybersecurity protocols where employees can’t see it. Display copies wherever needed for easy reference.
Can a Business Afford to Be PCI Non-Compliant
Businesses that are non PCI compliant in one or more standards might think that there’s nothing to worry about. After all, they haven’t been notified by their processor and there aren’t any non-compliance fees on their monthly statements.
However, this doesn’t mean that the business isn’t paying. Processing fees may be higher or the one charged for their monthly account.
When a cybersecurity breach does happen, it can be devastating to the business. Not only do they have to pay a fine, they are also required to let their customers know their personal data was hacked. Merchants know that when they lose the trust of their customers it is hard to come back financially.
If this isn’t the first time cardholder data was hacked and the company is still out of compliance, they could lose their ability to process credit and debit card payments. This can even apply to their e-commerce marketplaces.
Getting and staying in compliance with PCI standards can be costly for businesses starting from scratch. It can also be time-consuming, even for an experienced IT department.
However, as expensive and frustrating as it can sometimes be, it’s better than paying the fines for PCI non-compliance.
If you need help meeting PCI compliance standards or have questions about the regulations the experts are RSI Security are here to help.