The past 12 months have seen a significant increase in the volume and value of card transactions in the UK and, with the contactless limit having been increased to £45 and due to rise to £100 later this year, PCI DSS compliance should be a top priority for businesses.
It’s concerning, therefore, that a recent Gov UK report highlighted that only three in ten businesses (28%) are fully adhering to PCI DSS standards, four in ten large businesses (42%) and just 11% of charities. Source: Cyber Security Breaches Survey 2021
Whilst PCI DSS compliance is not a legal requirement, it is mandatory as set out by the PCI Security Standards Council (PCI SSC) for businesses accepting card payments. Non-compliance could lead you to face fines from your acquirer of around £10 - £150 per merchant ID per month if you process card payments.
The other aspect you need to be aware of is protecting your customers’ data in general (this includes the payment card details they entrust you with). This is governed by the ICO and not meeting these standards can leave you open to a fine from the ICO, of upwards of £3,000. This could completely cripple your business.
If you experience a breach however, penalties can be much greater. For example, in early 2020, DSG (the owner of Currys PC World and Dixons Travel stores), was fined £500,000 for a cyber-attack where malicious software had been installed on tills in 5,390 branches and harvested the payment card details of 5.6 million people. This was the maximum fine that could be levied at the time when the breach occurred. Under GDPR this could now be significantly greater.
PCI DSS is short for Payment Card Industry Data Security Standards. It is an information security standard which all businesses that accept card payments must adhere to. As well as protecting customers’ information, it also protects organizations from data breaches and costly fraudulent transactions.
PCI DSS compliance is relevant to any business accepting card payments. As well as in-person payments, it covers payments by a virtual terminal (e.g., when payments are taken over the phone) along with payment gateways for online transactions.
It is about protecting your customers’ payment data and making sure it doesn’t fall into the wrong hands.
Non-compliance is bad news for businesses and the pain could extend past just your wallet, with your bank even possibly choosing to terminate your account.
The consequences can be catastrophic and, at worst, could lead to your business being shut down.
No matter how large or small your business is, you could be liable for fines from your acquirer for non-compliance.
These fines appear on your statement and you are responsible as a merchant for completing a self-assessment questionnaire (SAQ) depending on your level, which is dictated by your card turnover.
Acquirers are able to know if you meet these standards for, by example, scanning your network for compliance with security rules.
If a customer’s payment card is compromised, a replacement will need to be sent out and this is a cost that you will need to cover. Cards cost £2 - £5 each and with thousands of cards generally being compromised when a small business experiences a breach, costs here can be significant.
If found to have failed to comply with PCI DSS standards, then you could find yourself at the painful end of a lawsuit from either a customer or card scheme. In addition, a costly forensic examination may need to be carried out by a Qualified Security Assessor (QSA).
Businesses often rise or fall based on their reputation and a data breach can significantly damage this. Customers are much less likely to trust a company that has been hit by a breach, particularly if there is negative press surrounding it.
Whilst there is a cost to making sure you are compliant; the potential cost and risks of non-compliance are far greater. Here are a few tips for maintaining the cyber security of your business:
Using a robust firewall and virus protection will not only protect your IT system as a whole, it will also help ensure that your data does not become vulnerable to cyber criminals.
Using the same network for your WiFi, cabled back-office computers, payment terminals, printers and more presents a significant vulnerability. Payments should be on a segregated network, in order that systems are not easily accessible and especially segregated from CCTV and other business tools that leave networks highly vulnerable.
Whilst these are two key steps, it is recommended that you speak with a QSA who will carry out an audit to ensure you are protected. Some businesses could be paying fines without knowing it and therefore can actually save money by implementing the appropriate measures.
This article was produced by one of our partners; Blue Scorpion, who specialize in providing payment and PCI DSS compliance solutions. They have a range of solutions such as: Cyber Protect, IP Protect Lite and IP Protect Enterprise packages and can provide a free health check to ensure you are compliant.
Minimize fraud without adding customer friction - Learn more about PCI 3D-Secure (3DS 2.2) today
ZeroRisk provides much needed insights that Merchant Service Providers (MSPs) can use to enhance security and reduce risk across their entire portfolio. Learn more.