In recent years PCI DSS compliance has been pushed more and more by the banks and card payment institutions. Some companies have chosen to ignore or defer compliance due to the ‘light touch’ approach of non-compliance by these organisations. Recent significant security breaches at major corporations have exposed card data of millions of people. This in turn has led some to question the value of PCI DSS compliance. Moreover, some are of the view that it’s cheaper to get fined than be compliant. However, with the scandals that have beset the financial services industry over recent years, such an approach has been consigned to history and with the introduction of PCI DSS v3.0, ignoring compliance brings severe penalties.
One of the key problems that results in relatively low levels of PCI DSS compliance is that many think it is too complex. Compliance is often simpler than you think. The framework is relatively straightforward and often, effectively executed IT best practice is all that is required to achieve compliance.
In the UK, fines for breaches of PCI DSS v3.0 and their consequences can be £100 per card affected, and Visa is looking to increase its non-compliance fees. This means that any damage to your business is scalar. For a small or medium business the potential is for the penalty to render your business insolvent. Even if your business is able to survive the financial hit, there is also likely to be an impact on trade should the breach enter the public domain where it is likely to result in reputational damage. Recent years have seen many organisations freeze or reduce IT budgets. Reducing budgets for environments that need to meet PCI DSS v3.0 compliance may turn out to be a false economy.
Under PCI DSS v3.0 the era of ‘light touch’ regulation and slapped wrist penalties are over. The indications are that financial penalties are going to be stiffer. It’s time for a new attitude to PCI DSS compliance. Ultimately, it is the responsibility of the business that handles the customers card data to take charge and control its PCI DSS v3.0 compliance status.
For more information, please look at the following links:
What is PCI?
Why Comply with PCI?
Common PCI FAQ’s: