Cybersecurity

The case for PCI compliance: Protect your customers—and your reputation

Online and contactless payment systems have been a way of life for some time now, but throughout the last few months they’ve been the preferred (and sometimes the only) option for many consumers. With every swipe, tap or number entry, credit card users have faith that the owner/operator of a business will safeguard their information. The fact that this regular action could make them a victim of a data breach rarely crosses their minds.

With the convenience and efficiency of contactless payments, however, the risk of security/data breaches has grown. That’s why the Payment Card Industry Data Security Standard (PCI DSS) was put into place—to help businesses better manage their customers’ credit card information. And as a business owner/operator, you would be well-served to take it seriously.

If you’re not compliant with these standards and a data breach occurs, your business is responsible. Fines can sometimes reach up to or even exceed $100,000 per month until you’re able to show evidence of compliance. And unfortunately, a lack of awareness is not a defense. 

The risks of non-compliance

Cyber criminals work quickly and methodically to access credit card information, making it difficult for ill-prepared companies to detect and resolve data breaches quickly. In 2019, the mean time to identify a data breach was around 206 days, up from 191 days in 2017, as shown in IBM Security’s 2019 Cost of a Data Breach Report. The time required to contain a data breach, meanwhile, currently sits around 79 days, compared to 66 days in 2017. If the data breach involves credit card information, you wouldn’t be able to accept credit cards during this time and until you can prove you are PCI complaint.

PCI compliance can help mitigate the effects of a data breach—but, according to a recent report from Verizon, only 28 percent of global organizations are fully-compliant with the PCI DSS. Four years ago, when compliance was at its peak, that number was double.

This is particularly troublesome because breaches are incredibly costly, both from a financial and reputational perspective. According to a report from global specialist insurer Hiscox, the average financial cost of a data breach is estimated at around US$200,000 per business—and 60 percent of breached companies go out of business within six months. The loss of customer trust, meanwhile, has serious and long-lasting financial consequences for a business, according to IBM Security’s 2019 Cost of a Data Breach Report.

How to avoid a data security breach: Protect your customers’ information and be PCI compliant

Fortunately, there are simple practices you can follow to protect your customers’ information—many of which are outlined, in detail, in the PCI DSS framework. From a high-level perspective, however, consider keeping the following points in mind:

  • If you don’t need to keep your clients’ credit card information, don’t.
  • If you do need to keep credit card information, understand where it is, who has access to it and that it is properly protected.
  • Make sure your network and databases are secured to reduce hacking risk.
  • Use PCI-compliant devices (like an approved Point-of-Sale, or POS, machine) and ensure all relevant third-party service providers are compliant.

It’s your responsibility to ensure that all relevant processes and technology are appropriately secure.  

Your Grant Thornton advisor can help

While it may be tempting to manage data risks on your own, using a PCI-compliant service provider for your credit card needs could be a more effective solution. But be aware—even if you choose to work with a service provider, you’re still ultimately responsible for any damages that may occur with your customers’ data. It’s up to you, therefore, to confirm that your provider has taken the appropriate measures to protect the data they hold for you.

Our PCI Qualified Security Assessors (QSAs) can help your business become PCI-compliant. We’ll work with you to identify which information you should keep, how it should be stored and who should have access.” Once this is done, you’ll be able to accept credit card payments with confidence and rest easy knowing your customers, and business, are protected.

If you’d like to learn more about our PCI compliance offerings, contact us.