Benefits of PCI DSS Compliance

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
9 Aug
2022

Table of Contents

In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard. However, this week we will look at what the benefits are of achieving and maintaining compliance….aside from meeting your contractual obligations!

As a rule, all organisations that store, process or transmit credit card information are obliged to comply with PCI-DSS along with companies that provide payment services on behalf of their clients who store, process or transmit credit card information. So, let’s start by reverting to first principles.  Why comply with the PCI DSS? In essence it’s the most effective method of reducing the likelihood and impact of a payment card data . If your organisation is non-compliant and involved in a data breach you could feel the consequences in a range of different ways including loss of revenue, fines, revocation, brand damage and possible litigation.

And what are the benefits?  The primary benefits of achieving compliance are helping you avoid the following:

Damaged reputation

Reputational damage is big one and can have a lasting, and potentially irreparable, impact.  Endangering your clients’ payment card information can not only result in financial penalties but it can damage your brand and lead to a breakdown in the trust it has taken you years to build. Once your security approach has been compromised it will be extremely difficult for clients to start believing and trusting you again.

Revenue loss

A large-scale breach can severely decrease your revenue due to a loss of clients following that incident. To reinforce this let me give you an example, one of the biggest recent breaches in 2013 involved the Target Corporation which was fined 18.5 million USD for an infringement that affected more than 41 million consumers and resulted in a 440 million USD loss of revenue in the first quarter following the breach.

Losing the ability to accept payment card transactions

On top of a loss of revenue, there is a strong likelihood of a hefty fine from the payment card brands. But even more damaging than fines is the prospect of having the right to process payment card transactions revoked by the card brands, such an action would make it nearly impossible to continue trading.

Legal action

Litigation is a likely outcome if various cardholder information has been endangered.  Back in 2007, TJX had to pay 40.9 million USD for a data breach that exposed more than 100 million bank cards to risk.  In 2014, approximately 1.1 million clients of Neiman Marcus were affected by another data breach that was only detected after a 3-month delay.

Aftermath

According to the 2018 Cost of a Data Breach Study by Ponemon, the cost of a data breach involving less than 100,000 records is 3.86 million USD – a 6.4 percent increase from 2017.  Furthermore, the cost of a ‘mega-breach’ (1M – 50M records lost), is between 40 – 350 million USD.

Conclusion

It seems clear cut that any money spent on achieving and maintaining PCI compliance is minimal compared to the potential costs and fines and devastating ‘domino effects’ associated with data a breach, particularly if there is an element of non-compliance with the PCI DSS. By implementing and maintaining a PCI DSS culture within your organisation, you can take a huge step to mitigating your exposure.

How URM Can Help

If you are looking to assess and measure your current cardholder processing activities and practices against the PCI DSS, URM can assist by delivering a PCI DSS gap analysis. URM has found that there is significant confusion regarding PCI DSS, e.g. defining status (merchants or service providers), how to validate compliance (through QSAs or self-assessment questionnaires (SAQs)), how to reduce the burden of compliance and what exactly is expected in terms of implementation.

Want to Learn More?

If you are new to PCI DSS and are looking to gain more awareness of the requirements of the Standard, URM, under its PCI Security Insights initiative, is delivering a range of webinars which provide real-world insights on pitfalls to avoid and top tips for ensuring success with PCI DSS. The content of the webinars is based on the cumulative, real-world experiences of URM QSAs and consultants who have worked in PCI compliant organisations and have helped a wide range of organisations achieve compliance with the Standard.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
How can URM help you to achieve PCI compliance and what is our approach?

In our previous blog, we looked at where your PCI compliance journey starts. The first step is understanding the flow of your payment card data....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
5 Ways to Reduce Your PCI DSS Scope

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
Can I Store Cardholder Data?

In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around....

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.