Understanding the Consequences of Failing PCI Compliance

With the increasing popularity of online banking and shopping, credit card transactions flourish in tandem. At the same time, credit card data theft and Identity theft increased dramatically from 2010 to 2020—examples of major banks and retailers that have suffered significant credit card data breaches abound (JP Morgan, Capital One, Target, Macy’s, Equifax). The Payment Card Industry Data Security Standard (PCI DSS) was a way to combat this growing menace. PCI DSS aims to secure cardholder data and sensitive authentication data from unauthorized access and loss. Cardholder data consists of the primary account number (PAN), expiration date, cardholder name, and


service code. Applications that store, process, or transmit cardholder information must be protected and require careful planning to implement and demonstrate compliance with all PCI DSS controls. It is vital to note that PCI DSS is not just a technology compliance standard; it also covers people and processes. This article details the key challenges and consequences of failing PCI Compliance.

1. Legal costs and settlements

Clients who suffer from a vendor data breach due to PCI DSS non-compliance can file lawsuits against the defaulting organization. There have been many cases where the theft of payment cards has led to significant lawsuits. For instance, in 2014, customers sued Target because regulators determined that its Point of Sales (PoS) systems did not provide adequate protection. The lack of proper protection allows cybercriminals to install malware that scraped credit card data in memory as they swiped them across many PoS systems. In addition to costly class-action claims from clients, businesses may have to pay damages to payment card issuers that spend millions of dollars re-issuing credit cards and reimbursing victims of fraud. While big corporations can pay and survive these lawsuits, small and medium-sized enterprises (SMEs) mostly do not and usually file for bankruptcy. The overall cost of a multi-front litigation case and seeking legal counsel can significantly and negatively impact businesses that do not take PCI DSS compliance seriously.

2. No longer the permission to accept credit cards

We all know that a significant amount of transactions in most businesses occur by credit and debit cards. Imagine the impact of losing the permission to accept card payments because of a failed PCI compliance assessment or data breach. The inability to accept card payments would be a significant inconvenience for any organization. If an organization thrives on an e-commerce business model, losing the ability to accept credit/debit cards can put them out of business. Hence meeting PCI DSS compliance should be a no-brainer for any enterprise that accepts credit or debit cards as its primary payment method.

3. Reputation damage

PCI non-compliance does not just lead to financial penalties; it can also cause irreparable damage to the company’s reputation. Clients trust the company to protect their data, and falling short of this promise leaves a wrong impression. Regaining a client’s trust can be a challenging task. In contrast, showcasing robust compliance offers the business a competitive edge. Clients will perceive the organization as a responsible business entity if a company provides adequate security control measures and commits to routine PCI compliance audits.

4. Compensation costs

When a data breach happens, the business must compensate customers because it fails to uphold PCI requirements. It can be in the form of free credit card monitoring for a year, identity theft insurance, or service fee reimbursement. These complimentary services are essential for keeping clients, but these can drive up the costs for any business.

5. Fines

The most damaging effect of failing PCI compliance is paying fines. Fines can range anywhere from $5,000 to $100,000 per month until compliance is satisfactory. The remediation costs depend on how far behind the organization has fallen on following the compliance.

Ultimately, implementing a comprehensive security framework cost far less than penalties and damages to brand reputation resulting from PCI violations. PCI DSS must be implemented into business activities as part of an organization’s overall security strategy to ensure adequate security controls continue. It allows an entity to monitor the effectiveness of its security controls regularly and maintain its PCI DSS compliant environment in between PCI DSS assessments.

At Nollysoft, we help businesses to be up-to-date with the essential PCI compliance requirements. Meeting the PCI requirements can be challenging for any business, but there is no need to do it alone. Nollysoft is a leading IT services provider that can help your business meet its PCI compliance needs. Our professionals provide expert recommendations for securing payment card information. Connect with us to learn more!