In Part 1 of this 3-part series on PCI Compliance, we talked about the what of compliance, and in Part 2 we discussed the why of compliance. In this final installment of the PCI Compliance series, I want to talk to you about the exorbitant cost of non-compliance. Next week, I’ll talk to you about how to prevent a Website disaster.
Did you know that even if you are considered a small, Level 4 business with less than 20,000 transactions per month that you are still required to meet certain PCI compliance standards? At the very least, you must complete an annual Self Assessment Questionnaire if you accept or process credit cards in your line of business. Even if you do not store credit card information, if any part of your payment process does come into contact with secure credit card information, you are required to meet PCI security standards. In fact, according to the PCI Security Standards Council (www.pcisecuritystandards.org) even if you only process one credit card transaction per year, you are required to meet the standards or face the risk of being fined or having your ability to process credit cards revoked.
The focus of the credit card industry has shifted from Level 1 merchants to identifying and reducing the security risks in small businesses because research completed by Bank of America shows that Level 4 credit card merchants account for 99% of all credit card transactions but continue to be the highest security risk, particularly compared to larger firms, because these smaller businesses often cannot afford to place more emphasis on security or do not have the IT knowledge to do so.
The High Cost of Non-Compliance
According to a recent poll by the PCI Security Standards Council, only 29% of small business owners had knowledge of the PCI compliance standards and only 11% were actually in compliance. That means there is a lot of risk out there, and risk is costly. It only takes having one confirmed security breach for a Level 4 merchant to suddenly be forced to meet Level 1 compliance standards, and the fines for security breaches can climb into the millions.
Visa Card, Inc. reports that more than 80% of their non-compliance issues came from Level 4 merchants. Credit card fraud losses amount to more than $1 billion each year, and while consumers are protected from being held responsible for stolen credit card purchases, that cost is definitely passed on to merchants, and the shift in focus to small businesses with less than 20,000 credit card transactions per year is significant.
When a merchant is non-compliant, the business can be held liable for the cost of chargebacks as well as the cost of reissuing cards or supplying secure monthly monitoring for the hacked accounts. Replacement cards are typically charged to the merchant at $25-$75 each, and monthly monitoring can be $15-40 per month per account in addition to fines, forced security measures, and the potential of having your ability to accept credit cards revoked.
To paraphrase Ben Franklin, an ounce of prevention is cheaper than a pound of cure. The cost of non-compliance is significantly higher than meeting PCI compliance standards. As we wrap up our discussion about PCI Compliance, I hope the information I’ve presented encourages you to become PCI compliant.
If you’d like to receive regular technology updates from The View From Under the Hat, subscribe via RSS or email.
Photo by chrisstreeter
{ 2 comments… read them below or add one }
Do you do PCI compliance consulting and remediation?
I don’t offer standalone consulting for PCI compliance; only in conjunction with software development. Thank you for asking.
{ 2 trackbacks }