What are the Consequences of Non-Compliance with PCI DSS?

Any entity that stores, processes or transmits cardholder data should comply with the Payment Card Industry Data Security Standard. Data breaches can result in fines, loss of sales and reputational damage. DeltaNet International explains what PCI compliance is and what happens if a business isn’t compliant.

As technology becomes more advanced and sophisticated, crimes associated with fraud have increased exponentially. Many consumers have suffered as a result and have consequently become more cautious about inputting their personal data onto websites. This poses a challenge to businesses and highlights their responsibility towards ensuring they handle card payment procedures sensibly. Every merchant or payment service provider must be PCI compliant, which means adhering to the Payment Card Industry Data Security Standard (PCI DSS), the set of requirements outlined by the PCI Security Standards Council.

The requirements relevant to your specific business will depend on the number of processed transactions recorded per year. Both the administrative and technological departments within a business need to be aware of PCI compliance, and so you should work on incorporating instructions on how to comply with your company’s overall code of conduct.

Why is PCI compliance important?

Maintaining PCI compliance has many security benefits that contribute to the long-term success of all merchants who process card payments. Customers are, rightly, extremely protective over their personal information, and so they need to be able to trust businesses with their card payments. By committing to PCI compliance, organisations secure healthy and trustworthy payment card transactions for hundreds of millions of people worldwide. By adhering to the correct standards, businesses can be secure and confident that they’ll identify any threats and vulnerabilities that could impact the company quickly.

What happens if you aren’t compliant?

Technically, compliance with the standards for PCI DSS is not required by law in the UK. However, there are many financial costs associated with non-compliance, including fines set by the payment brand. These are called Card Scheme fines, which are passed to the acquirer and then to the merchant. These fines can be so great that merchants are forced to stop trading. The size of the fine will vary depending on the number of card transactions processed. It’s also important to note that data losses often involve the loss of personal data, which means breaching the Data Protection Act 1998. The Information Commissioner’s Office (ICO) has enforcement powers to impose fines of up to £500,000 for this.

As well as fines, there are many other costs associated with PCI non-compliance. For example, if you have suffered from data compromise, you are obligated to communicate with a PCI Forensic Investigator (PFI) in order to establish the source of the breach. This can cost thousands of pounds, which you will liable for if the investigator finds evidence of non-compliance. If your business fails to comply with PCI standards, you may also need to consider legal costs, fraud losses, card replacement costs and expensive forensic audits.

If your business becomes affiliated with failure to meet industry standards regarding PCI, customers will quickly lose confidence in your ability to protect their sensitive information. This results in diminished sales, as customers decide to go to more reliable merchants. It’s also important to note that businesses should take responsibility for PCI compliance out of ethical obligation, as well a means to control financial risks. You should not abuse the consumers’ trust and confidence, which means taking the necessary measures to protect their personal data. Therefore, whilst PCI compliance isn’t officially mandatory, you should regard compliance with the same level of responsibility and vigilance as you would a legal requirement.

Get New and Exclusive Insights Direct to Your Inbox!