Compliance Knowledge Base | Information Security Training

Any business that stores, processes or transmits cardholder data should comply with Payment Card Industry Data Security Standard (PCI DSS). These are the requirements outlined by the PCI Security Standards Council to protect companies and consumers from data breaches and hackers. PCI compliance can seem extremely complex and time-consuming. However, neglecting your responsibility towards data protection has severe consequences, including financial losses and reputational damage.
Therefore, PCI compliance should be embedded throughout every department and activity in your business. To achieve this, you should work on incorporating instructions on how to comply with your company's overall code of conduct. Educating existing employees and new starters on the importance of PCI DSS and the risks associated with non-compliance is an important initial step.
Why is PCI DSS important?
There are many benefits associated with PCI compliance that contribute to the long-term success of a business. For example:
- Boosts customer confidence: Advances in technology have inevitably led to increased reports of data breaches and hacking incidents. Customers have responded by paying more attention to a business' history with PCI compliance. They're far less likely to use your products or services if they don't trust that you're capable of protecting their data. By demonstrating an evidenced engagement with PCI compliance, clients can see that you're taking data security seriously, which will boost their confidence and subsequently, your sales.
- Secures business data: As part of the mandatory risk assessment, many businesses pay close attention to physical security risks. However, organisations rarely implement equivalent measures for protecting the digital security of the business and their employees. There are many threats you should be aware of, including remote-access attacks, social engineering and malware threats.
- Protects your customers' private data: If your clients trust you with their card data, you're responsible for the sensitive data associated with the transaction. Therefore, you have an ethical obligation to comply with PCI DSS in order to keep their personal information safe. If you do fail to do this, you're liable to lawsuits and fines, especially if you led the customers to believe your business was secure.
- Sets a standard for other businesses: As our reliance on the digital realm increases, it's important that all businesses take appropriate measures to become PCI compliant. Many organisations still regard the subject with some apprehension, as the complex procedures can seem daunting. It can be a valuable way to boost your brand image if you gain a reputation as setting the precedent for responding to PCI DSS with compliance and enthusiasm. Hopefully, more businesses would follow your example, which would lead to a safer digital environment.

There are similarly many disadvantages associated with failing to comply with PCI DSS. For example:
- Fines and loyalties: If your business suffers from a data breach, the consequences can be very severe. Not only will you be forced to contend with the loss of data, but you will most likely face fines and lawsuits from customers or other organisations.
- Cost of data breaches: Data breaches not only cost you money but also customer confidence. There are a lot of financial costs associated with data breaches, including card replacements, fines, investigations, audits and compensations for customer losses. This also leads to significant reputational damage; which companies often struggle to recover from as consumers struggle to trust them again.
Case study
In 2018, Uber was fined over $1 million following a data breach that occurred in 2016. The personal details of millions of customers were exposed after hackers managed to access their bank card data, as well as their full names, addresses and phone numbers. Disturbingly, Uber attempted to 'pay off' the hackers with $100,000, which demonstrates a complete disregard for, and lack of respect for, their customers' personal information. Uber has pledged to change how it operates and commit to PCI DSS. Most importantly, the Uber Chief Legal Officer has promised to ensure regular security checks and reports to earn back the trust of customers. However, whether these measures will restore consumer confidence in the business remains to be seen.