All companies that process credit or debit cards are required to be PCI compliant.
But is ongoing compliance really important? Or is it a box that needs ticking each time you have an external assessment run?
In today's post I explain the importance of ongoing compliance with PCI DSS.
What is PCI Compliance?
The first item of importance to note is that compliance can only be tested at an individual snapshot in time. When an external assessor comes in and tests your organisation's compliance, they're checking to see whether you are compliant right at that moment.
Just because an assessor says you are compliant, doesn't mean that you'll be compliant tomorrow, next week, or next month. It's your organisation's job to maintain continual compliance. When you hear about exploits or data loss in the news, it's almost always the case that a company wasn't compliant at the time of the leak.
Bob Russo, general manager of the PCI Security Standards Council has been quoted as saying that none of the recent big company data breaches that have occured have been PCI DSS compliant at the time of the breach.
For example, Heartland had a piece of paper from an assessor saying they were compliant, but they weren't at the exact time of the attack.
Being PCI compliant means meeting all the PCI DSS requirements at all times.
What are The Consequences of Failing to Comply?
There are a large number of consequences to not complying to PCI-DSS, if your company processes payments:
- Negative impact on customers - if your data is compromised, it has a big impact on your customers. Customers regularly confuse data loss with identity theft, and many will boycott if you if your company releases their data.
- Negative impact on financial institutions - lost data results in high costs to financial institutions, which can result in your company being charged more for its banking services.
- Negative impact on merchants - payment processors cover data losses within their charges to merchants -- companies losing data result in higher payment processing charges for all companies.
- Negative press - losses of data, in particular large ones, can often make international news. This can be hugely damaging to a company's reputation. Some companies never recover from the PR damage imposed in a breach.
- Share price hits - if your company is public, a data breach will almost definitely result in a negative impact on the company's share price.
- Lawsuitss - if it's proven that your organisation is not compliant with PCI DSS in the event of a breach, your organisation may be liable to damages.
- Payment processor & government fines - failing to comply to PCI DSS standards can result in fines from both your payment processor, and government.
Remember that all it takes is one incident to seriously damage your organisation's reputation, and the financial penalties can be huge.
Data compromise is becoming increasingly complex each year, and PCI DSS compliance is in place to protect your organisation and its customers. If you're not compliant, you're open to a huge amount of risk.
How to Improve Compliance
Fortunately, there are two key actions your organisation can take to improve its compliance, and reduce risk:
- PCI DSS awareness training for employees - by educating staff on best practices when it comes to handling payment card data and general computer security, you significantly reduce the risk of breaches. Our PCI essentials computer-based training developed in partnership with the PCI security standards council is an excellent tool for training new employees, and refreshing the knowledge of existing employees.
- Make security a priority - security needs to be treated seriously within your organisation -- which means its own department, and someone who is directly accountable for security. If security isn't treated with priority, it's very difficult to maintain ongoing compliance.