PCI compliance is mandated for all merchants who store, process, or transmit sensitive payment card data. The PCI DSS is a set of twelve specific requirements that these merchants must adhere to. These standards are not necessarily easy to achieve, but that doesn’t make them any less valuable to your future business success.
So what are the costs of becoming PCI compliant? The up-front cash requirements can, unfortunately, be rather daunting, depending on how far you have to go before you reach PCI compliance. Some estimates say that the nation’s largest companies could spend hundreds of thousands of dollars as they take the steps to reach compliance.
Now, while this is an extreme example, the fact of the matter is that compliance can be costly and time consuming for any company. So the question surfaces: is it worth it?
Here is what could be considered a better question: what constitutes a valuable investment? And then the follow up: does PCI compliance fit this definition?
An investment implies that a person expects to get more out of it than they put in. And the higher the investment, the higher the expected return. And when it comes to PCI compliance, some merchants have come to the conclusion that the immediate cash return is not obvious or large enough to validated or convey the value of the required investment.
However, this view point is, for lack of a better term, a big mistake.
Another important way to view an investment and evaluate its worth is to consider what it will cost you if you don’t make the investment.
The Payment Card Industry Data Security Standard includes a number of incentives and penalties, both designed to encourage PCI compliance. Merchants, as an incentive, are offered protections from fines if they are compliant at the time of a breach. On the other hand, a merchant can suffer fines as high as $500,000 per incident if they are not.
The example, which has recently gone through some litigation, that has often been used as the poster child of the costs of non-compliance is the TJX company.
Recently, the FTC made their ruling on the TJX incident. Beginning in July of 2005 hackers were able to take advantage of several weaknesses in their security, and easily stole nearly 100 million credit card numbers over a span of about 18 months. On top of that, when the company transmitted data for returned items, the data required for those transactions – which included a lot of personal information – was also stolen.
In the FTC ruling, it was decided that TJX created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text. Meaning: anyone who intercepted it could clearly read it. The ruling also said they did not use readily available security measures to limit wireless access, nor did they require administrators to use strong passwords, or different passwords for different programs.
And the list goes on.
Now let’s analyze the costs of not reaching PCI compliance.
The fines that were levied against them were steep. Add to that the legal fees, call center costs, and more, and some estimates put the monetary costs in the hundreds of millions of dollars. But there are other costs to consider here as well, and the most important one is the cost of your reputation.
It can take years to build a reputation as a trustworthy merchant, and a single moment to loose it. How long will it take you to earn it back?
Can you ever earn it back?
In today’s high speed commercial environment, it is absolutely crucial to keep up with trends, developments, and, most particularly, mandates. And as consumers also evolve, they will demand more safety and security from the companies they do business with.
PCI compliance is a very valuable investment. The costs of adhering to the standards may be high, but as we seen from actual examples, the costs of not adhering to the requirements are far, far worse.