What Is Cardholder Data In PCI Compliance?
Cardholder data, aka CHD, comes from credit, debit, and prepaid cards bearing the logo of one of the PCI founding card brands. CHD includes the...
With more than 510 million records containing sensitive information breached since January 2005, statistics indicate that cardholder data breaches are on the rise, and criminals are increasingly targeting small and medium businesses to obtain cardholder information. To help protect consumers’ payment data the payment card industry created PCI compliance.
The Payment Card Industry Data Security Standard (PCI DSS) has been in existence for years, requiring any merchant that processes, transmits, or stores customer’s cardholder data to achieve PCI compliance. The PCI compliance process comprises of 12 high-level PCI DSS requirements.
With the effort involved, entities may question whether they should allocate their time and financial resources or just ignore PCI compliance altogether. However, in the case of PCI compliance, the benefits ultimately outweigh the drawbacks as the risks associated with ignoring PCI DSS requirements can range from loss of reputation to financial ruin.
Merchants ignoring the growing adoption of PCI DSS do so at their own peril as the penalties for non-PCI compliance are severe. Non-PCI compliant merchants and payment processors can face fines from $5,000 to $500,000, depending on a variety of factors. In 2006 alone, Visa reported imposing $4.6 million in fines.
Additional costs include:
More devastating than fines, credit card companies may also revoke the right of a merchant to process credit card transactions, providing a “virtual death sentence” for many organizations.
Reputational damage, lost business and reduced partner/ consumer confidence and trust are just some of the after-effects of a data breach. Reports demonstrate that 69% of consumers would be less inclined to conduct business with a breached entity, which can even lower share price and impact the ability to raise capital in the future.
It is evident that the cost for getting and staying PCI compliant is pale in comparison to the potential costs and fines associated with data breach. The good news is that just by adopting the PCI DSS operating guidelines, entities can mitigate many, if not all of these risks.
It is not unusual for business owners to feel frustrated by the rules and requirements surrounding PCI DSS. Additional obligations excite few people, however the most productive way for merchants to think about PCI compliance is as a set of continuously evolving security best practices benefitting their business.
Engaging a Qualified Security Assessor (QSA) company such as Control Gap can simplify the process and help your organization adopt these practices and achieve compliance. Contact us at 1.866.644.8808 and we would be happy to help you.
Resources:
Desharnais, Yves B. PCI DSS Made Easy (PCI DSS 3.2 Edition). N.p.: n.p., n.d. Print.
https://www.namm.org/news/articles/pay-now-or-pay-later%E2%80%94-risks-associated-ignoring-pc
http://www.scmagazineuk.com/cant-we-just-ignore-pci-dss-and-get-on-with-life/article/216535/
https://iapp.org/news/a/2007-03-01-merchants-can-no-longer-ignore-the-pci-data-security-standard/
https://www.hytrust.com/wp-content/uploads/2015/08/HyTrust\_Cost\_of\_Failed\_Audit.pdf
Cardholder data, aka CHD, comes from credit, debit, and prepaid cards bearing the logo of one of the PCI founding card brands. CHD includes the...
The PCI Council has testified before Congress about standards and breaches in both 2014 and 2009 (links are to Google Searches). This year PCI is...
On May 1st a critical new and possibly unprecedented vulnerability was announced. The flaw in Intel's Active Management Technology (AMT) firmware...