Editor’s note: This blog post is an excerpt from our new ebook PCI DSS Compliance: Why It Matters and How To Obtain It.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. PCI DSS was created by the PCI Security Standards Council, an independent body founded by major payment card brands including Visa, MasterCard, American Express, Discover, and JCB International.
What is the Purpose of PCI DSS?
Whenever a business accepts, processes, or transmits payment data (e.g., credit or debit cards), it opens itself up to the risk that such data will be stolen. Hackers and cyber criminals want your customers’ credit card data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.
Data breaches compromising sensitive cardholder data are incredibly common. In 2018 alone, $24.26 billion was lost due to payment card fraud worldwide, and the United States took the lead as the most credit fraud-prone country, with 38.6% of reported card fraud losses. Meanwhile, identity theft was the third largest cause of fraud in the US. in 2018.
When businesses don’t take precautions to secure their systems and network, they’re likely to be targeted. Sensitive cardholder data can be stolen from many places, including compromised card readers, paper stored in a filing cabinet, data in a payment system database, hidden cameras recording entry of authentication data, or a secret tap into your store’s wireless or wired network.
In 2006, major payment brands American Express, Discover, JCB International, MasterCard, and Visa Inc. came together to address the vital need to have a secure payment ecosystem. These companies formed the Payment Card Industry Security Standards Council with the mission of helping all merchants, service providers, and software developers and manufacturers of payment applications and devices understand and implement a set of security standards designed to ensure adequate protection of cardholder data.
To fulfill this mission, The Council created the PCI Data Security Standards (PCI – DSS) — a set of technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions. By following these standards, organizations can keep their defenses up and minimize the chances of suffering from costly attacks aimed at stealing cardholder data.
Does Your Business Need to Be PCI DSS Compliant?
Maintaining payment security is required for all entities that store, process, or transmit cardholder data. In fact, the security benefits of maintaining PCI DSS compliance are essential to the long-term success of organizations that accept, process or transmit cardholder data. Being PCI DSS compliant helps your organization maintain trust with customers who use their cards to purchase your products and services.
Last but not least, the consequences of not protecting cardholder data are severe. The liabilities your organization may face when you experience a security breach that results in payment card data being compromised include:
- Lost confidence from customers
- Diminished sales due to reputational damage
- Fees from having to issue new credit cards
- Compensation costs of PCI non-compliance, including compensating your clients with credit card monitoring and/or identity theft insurance.
- Legal costs, settlements, and judgments. Lawsuits are a possible outcome if the variation of multiple card holders has been endangered
- Fines and penalties instituted by credit card companies, ranging from $5,000 to $100,000 per month. These penalties depend on the volume of transactions, the level of PCI DSS that the company is designated to, and the time that it has been non-compliant.
- Termination of ability to accept payment cards (enforced by your acquiring bank or payment brands)
- Federal Audits. If your company has a large volume of clients, the Federal Trade Commission can choose to perform audits to make sure you’re compliant with the security standard. The Federal Trade Commission monitors organizations that don’t comply with PCI DSS, and apart from imposing its strict regulations, it can decide to penalize your company for non-compliance as well.
- Lost jobs (e.g., CISO, CIO, CEO and dependent professional positions)
- Going out of business
To learn more about how to implement PCI DSS and keep up with the framework’s requirements over time, please download the full ebook below (click on the image).