PCI compliance is meant to minimize risk. That said, part of risk involves determining if the cost of mitigation & compliance is greater than the savings. Most of us have experienced this when our cars get older. Do you keep paying full coverage to ensure you’ll get full value from your car in a wreck, or is it more cost effective to switch to liability and deal with any personal losses from a wreck in the future?
I’m asked regularly “What happens if someone isn’t PCI compliant and they are compromised?”. First, you’ll be fined heavily. The dollar figures are not published, as the Card Brands are very subjective about the fines on a case-by-case basis. Second, your bank could be fined, and you can be sure those fines will get passed right down to you. Third, and most important, even if your business survives the heavy fines you could have your privileges to process cards revoked.
When deciding how to approach PCI you can use the analogy above to a degree. Do you spend a little more for peace of mind, or do you do the legal minimum requirement? Do you accept the compliance as a cost of doing business and adjust your business model accordingly, or do you view it as a fixed recurring fee to be handled as quickly and cheaply as possible? Either option is viable, depending on your specific company’s needs. Unfortunately, many companies forgo PCI entirely. This is analogous to driving with no insurance at all! Sure you’ll save money… right up until you have a compromise or an authority (your bank, Card Brands, et al) discovers your lack of compliance and begins fining you or revokes your privileges altogether.
Something to be aware of: a checkmark doesn’t mean safety. Just because you got a clear ASV scan or a RoC (Report on Compliance) approved does not mean you can neglect security for another year. A clear ASV scan or RoC means you were found compliant at a specific date in time. If you are later compromised and the reason for the compromise is because you changed a system without following change-control policy, lied on your evidence, provided insufficient scoping/access to scope, etc you will be treated as if you were non-compliant and fined accordingly.
So here’s a bullet list of the things you’ll face for non-compliance:
- Fines and fees for compromised data, forensics, et cetera
- Recurring fees for non-compliance until status changes
- Loss of privileges to process cards entirely
- Closure of business from fines and/or loss of ability to process cards
- Loss of sales from customers who realize you’re not compliant
- Higher rates, or simply refused, from banks and merchant service providers