Even if you don’t process a lot of credit card transactions, your organization could face severe consequences from non-PCI DSS compliance.
Businesses that don’t process a lot of credit cards often wonder why they need to comply with a security standard like the PCI DSS Compliance. As in most cases, a little knowledge of “why” can go a long way.
Businesses that don’t process more than 20,000 credit card transactions per year are categorized as level 4 merchants in the Payment Card Industry (PCI) world. Fortunately, level 4 has the lowest amount of compliance requirements, thus requiring the least amount of effort for compliance.
According to Payment Card Industry data, this tier of merchants is also the most vulnerable to crime and cyberattacks. According to the PCI Security Standards Council, 71 percent of hackers attack small businesses and merchants with fewer than 100 employees (PCI, 2016). Beyond the risk of a data breach, contracts with an acquirer or payment processor will likely require your organization to be PCI compliant. This is true for every business that accepts even a single credit card for payment.
We’ve seen fines as small as $10 per month and as much as $5,000 per month or more.
Below are three risks you face with PCI DSS non-compliance:
What Happens If You Are Not PCI DSS Compliant?
1. You may suffer financial losses
Merchants ignoring the growing adoption of PCI DSS do so at their own peril as the penalties for non-PCI DSS compliance are severe.
According to the primary PCI Compliance Blog, fines are not published or reported, and usually end up passed to the merchants. Banks pass the fines along as increased transaction fees or termination of business relationships.
Non-PCI DSS compliant merchants and payment processors can face fines from $5,000 to $100,000 per month until compliance is achieved. That kind of fine is manageable for a big bank, but it could easily put a small business into bankruptcy.
Additional costs include:
- Notification, card reissuance, and credit monitoring costs for affected parties
- Forensic investigation and remediation costs
- Increased rates charged by banks and/or processors
2. You may lose the ability to accept credit cards
More devastating than fines, credit card companies may also revoke the right of a merchant to process credit card transactions, providing a “virtual death sentence” for many organizations.
3. You may lose clientele due to negative reputation
Reputation damage is one of the harder costs to calculate in the wake of a cyber incident. And yet the bill can be very high when the time comes to account for eroded trust, a drop in confidence and lost customers. Reports demonstrate that 69% of consumers would be less inclined to conduct business with a breached entity, which can even lower share price and impact the ability to raise capital in the future.
It is evident that the cost for getting and staying PCI compliant is pale in comparison to the potential costs and fines associated with data breach. The good news is that just by adopting the PCI operating guidelines, entities can mitigate many, if not all of these risks.
There is a lot of complexity to preparing and maintaining PCI DSS Compliance. The average merchant should not try to do it all alone. Our Ivrnet team will help you develop a plan for your business to maintain PCI DSS Compliance today and every day.
Ivrnet is in the business of helping businesses achieve security compliance and ensuring they protect sensitive customer data. A leader in payment security, Ivrnet is a Level 1 PCI DSS certified Service Provider. Visit ivrnet.com to learn more, watch a webinar or request a demo of our Call Centre PCI compliant solutions for online and over the phone credit card payments.