What is PCI Compliance and Why Does it Matter?

What is PCI-DSS Compliance?

There are many different rules, regulations, and expectations businesses of all sizes have to adhere to if they accept card payments. It doesn’t matter what industry that company serves or what they specifically sell. If an organization processes card payments then it is subject to the rules of the Payment Card Industry Data Security Standard (PCI-DSS).

The reason for these rules is to proactively protect you and your customers from card fraud and other security risks like data breaches. Studies have shown that businesses that fail to maintain full compliance with PCI rules are at much greater risk of a data breach and cardholder information theft than businesses that are fully compliant.

Compliance Statistics

Unfortunately, and to the detriment of millions of consumers worldwide, full PCI compliance among surveyed businesses is on the decline. According to the 2018 Payment Security Report, there has been a nearly three percent drop in PCI-DSS compliance compared to the same period the previous year.

Only 52.5% of organizations were reported as being fully compliant with PCI-DSS in 2018. Given that the organizations most likely to be the victim of a data breach and stolen cardholder information are the ones not fully compliant, this is a really big deal. And since nearly half of all businesses aren’t fully compliant, that means there is a ton of consumer cardholder data vulnerable to potential theft.

Penalties for Non-Compliance

And it’s not like there aren’t penalties in place for non-compliance. Not only are there stiff penalties in the form of fines, ranging from $5,000 to $100,000 per month, if you are found non-compliant, but there’s also the loss of trust from your customers and potential lawsuits that could cost millions or more. 

One of the most visible and prominent examples of that is Equifax. They were responsible for the loss and theft of personal and financial information of over 150 million people. This happened because they failed to fix a critical system vulnerability and then delayed notifying the public about the data breach for weeks after first discovering it. One of the core requirements in place for PCI compliance is to “develop and maintain secure systems and applications.” 

Equifax ultimately agreed to pay a $575 million settlement with the FTC in July 2019, which has the potential to rise to $700 million. 

Target, one of the largest retail chains in the United States, had over 40 million credit and debit card accounts stolen due to a data breach in 2013. The retail giant reached an $18.5 million settlement with 47 states and the District of Columbia in 2017 and total costs related to that breach totaled more than $200 million. 

So as you can see, it isn’t just the fines you should concern yourself with. There are far greater costs and implications for your business if you fail to maintain PCI compliance and don’t protect customer and payment information appropriately. 

 

Why Does PCI Compliance Matter?

Every business that accepts credit card payments must adhere to PCI compliance. Sure, there are penalties in place, but why PCI compliance really matters is that it better protects your customers and your organization from security threats. Keep in mind, there wasn’t a single organization fully compliant with PCI-DSS that experienced a data breach of some kind per the 2018 Payment Security Report by Verizon. 

Investing the time and effort necessary to becoming, and staying, PCI compliant shouldn’t be viewed as some burdensome task. If anything, it should be viewed as a major investment into the overall health and well-being of your organization and the relationships and reputation you’ve developed with customers and the public at large. 

 

How do you become PCI-DSS compliant? 

The simplest answer to how you become PCI compliant is by directing you to the official PCI-DSS website. There are a ton of resources you can leverage to help you better understand what the requirements of PCI compliance are and how you can achieve them. Even though compliance can seem daunting, it’s actually pretty straightforward once you understand what you need to do. 

At its core, being PCI compliant means you have taken steps to secure and protect payment and customer information. This isn’t a one-time effort either. PCI compliance is an ongoing endeavor and what you need to do to continue securing payment and customer information could change based on the security risks present. 

Here are some key things to consider to begin your journey to full PCI compliance:

 

  • See the entire product suite