In today’s world where massive data breaches occur on what can seem like a daily basis, no company or individual is safe. Equifax, Facebook, Target, and Verizon are just some of the enormous brand names that have graced the headlines over the last few years, and with the loss of their customer’s data, so went the decades-earned trust of those same customers as well.
Yet in 2004, the Payment Card Industry Security Standards Council (PCI SSC), formed from a consortium of the five largest payment card providers—Visa, Mastercard, Discover, American Express, and JCB—made a prescient move when they decided to pool resources and create the first version of the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of twelve requirements outlining the security measures merchants must take when processing card payments, ranging from the way their networks are built, to the way they store sensitive cardholder data.
Although payment card fraud was a persistent issue during that time, companies still weren’t suffering from anywhere close to the same amount of data breaches that plague them today. By implementing the PCI DSS and requiring any merchant who accepts payment cards to abide by it, the PCI SSC took a major proactive step to protecting cardholders and ensuring businesses take security seriously.
Who Must Comply with the PCI DSS?
Simply put, any merchant who accepts card payments must comply with the PCI DSS. The standard outlines several merchant levels, which vary by the amount of transactions processed per year and have different reporting requirements. Regardless of the level the merchant falls into, however, they all must ultimately prove compliance. Learn more about PCI DSS merchant levels here.
What Happens If I Don’t Achieve Compliance?
For merchants that fail to achieve PCI DSS compliance, the card brands can choose to fine the merchant’s acquiring bank anywhere between $5000 – $100,000 per month. The acquiring banks then usually pass these fines onto the merchant. For repeated violations, the card brands may revoke the merchant’s privileges to accept payments using their cards entirely.
Benefits of PCI DSS Compliance
Even though many merchants tend to think of compliance with these twelve requirements as burdensome and expensive, they can bring about a number of benefits, from increased security, to a stronger brand reputation. We’ve compiled a list of the top benefits merchants can expect to see when they achieve PCI DSS compliance.
Reduces the Risk of a Data Breach
One of the most obvious benefits of implementing the security controls found in the PCI DSS are exactly what they were intended for: to reduce the risk of a data breach occurring. By requiring merchants to take measures such as using firewalls and encryption, and prohibiting the storage of cardholder information, not only does the organization become harder for hackers to break into, but the amount of sensitive data they could steal is reduced as well.
With cyber threats coming from every direction nowadays, it’s hard to argue with this benefit.
Helps to Avoid Fines
While the card brands can impose fines on the acquiring banks of merchants who fail to achieve PCI DSS compliance, they are not the only ones who can impose hefty penalties. Depending on where a data breach occurs and who it affects, governments can also impose fines as well. For example, the European Union’s new General Data Protection Regulation (GDPR) includes provisions for fines up to €20 million, or 4% of annual turnover, whichever is higher, when a breach occurs involving the personal data of EU citizens. This could be an eye watering amount to have to pay and could put many companies out of business. Following the requirements of the PCI DSS serves as a good baseline to prevent a high-profile data breach from occurring in the first place.
Data privacy concerns among consumers have never been higher, and for good reason. Just about everyone has been affected by a data breach at some point now, with nearly half of all Americans having their records exposed during the Equifax data breach alone. Protecting your customers’ data is not only the right thing to do, it’s a sound business decision as well. When customers feel their data is safe with you, they’ll reward you with their loyalty and can even serve as some of your best advocates by referring their friends and family.
Improves Brand Reputation
With technology breaking down traditional barriers to entry and continually equalizing the playing field among competitors, one of the strongest assets that any brand has to rely on today is their brand. Avoiding a data breach is paramount to maintaining an untarnished brand reputation and to keeping your customers’ trust. While it can be difficult, if not impossible, to quantify, an investment in security is equivalent to an investment in your brand. As the number of data breaches among large companies climb higher, consumers will vote with their wallets and do business with the brands that they trust instead, which will hopefully be yours.
Imparts a Mindset of Security
For organizations that are just beginning to address security, the PCI DSS provides an excellent place to start. The twelve requirements serve as a robust and comprehensive framework for which to examine existing security procedures, and the self-assessment exercises that each merchant must complete are a fantastic way to reflect on how improvements can be made. For larger organizations that fall into merchant level 1, the Annual Report on Compliance (AOC) that a Qualified Security Assessor (QSA) must complete acts as an important third-party check on security controls and can also further reveal any vulnerabilities that internal teams may overlook.
Serves as a Globally Accepted Standard
A small and often overlooked benefit is that the PCI DSS is one of the only truly globally accepted security frameworks. Although not officially mandated by any governmental bodies, because the big five card brands operate around the world, organizations operating internationally do not have to worry about different security standards for card processing per country. This can alleviate at least one headache, as legislation varies widely around the world. For example, even within the United States itself, all 50 states have their own unique versions of data breach notification laws.
Provides a Starting Point for Other Regulations
Governments around the world are waking up to the large-scale security threats facing companies and individuals and have begun enacting legislation to address them. The main tenets of the PCI DSS, namely requiring organizations to take measures to limit the amount of sensitive information stored, provide a great starting place to comply with other regulations. The EU GDPR requires that companies only store data that is necessary only for as long as it is needed, which will probably continue to be a common thread that pops up in other legislation in other regions as well.
Peace of Mind
Finally, knowing that your company has taken the proper security measures and achieved PCI DSS compliance can go a long way in helping you gain some peace of mind.
Achieve PCI DSS Compliance Today
If your organization operates a call or contact center and allows customers to make payments over the phone, there’s an easier way to achieve PCI DSS compliance. Cardprotect by Semafone is a DTMF masking solution, allowing for simpler, more cost-effective PCI DSS compliance. Learn more today!