Image courtesy of FlyD via Unsplash
Is it true that data breaches are increasing?
Yes, breach costs increased a staggering 10% from 2023 to 2024, the largest yearly jump since the pandemic. And with 70% of breached organizations reporting that the breach caused significant or very significant disruption (IBM), it’s important you are doing everything you can to protect yourself. If your business accepts credit cards a form of payment, you are responsible for protecting cardholder data from a breach. Ensuring your business is PCI (Payment Card Industry Data Security Standard) compliant is critical—both to decrease the likelihood of a breach and minimizing your liability should a breach occur.
What happens if my business is non-compliant, and a data breach occurs?
Although PCI compliance isn’t mandated by law, failing to comply with PCI DSS can result in investigations, fines, and penalties. If your business is not compliant and suffers a breach, card issuers may hold you responsible for all costs of reissuing credit cards, including fraudulent credit card charges, which will likely include six to twelve months of personal credit card monitoring for every affected customer. Many businesses are required to hire a Payment Card Industry Forensic Investigator, and this doesn’t consider the fines themselves—ranging from $20 to $5000 or more per month depending on the details of the noncompliance and breach. Not only could a breach damage your business’s reputation, but depending on the size, it could have serious financial implications or lead to bankruptcy.
How long does it generally take a business to discover a data breach has taken place?
According to a recent report from IBM, it takes organizations an average of 204 days to identify a cyber breach and an additional 73 days to contain that breach. During that time, an unknowing, affected business will continue to accept credit cards, increasing the size of the breach.
How do I become PCI compliant?
PCI compliance is not a one-time project but an ongoing process to increase consumer protection through a set of 12 requirements. To ensure PCI compliance, you must implement the proper security policies, procedures, and staff training, as required by PCI DSS guidelines.
If you are unsure if you are compliant, you can check by auditing your merchant statements, which will show noncompliance via a penalty fine. You should check your three most recent, consecutive statements as some processors charge for non-PCI compliance quarterly rather than monthly. If you see a noncompliance fee, you will need to call your processor (have your merchant ID number handy) and ask them to help you begin the PCI compliance process.
Simple steps include changing your user account passwords on a regular basis, using a third party to monitor your network security, and reviewing your physical security measures such as employee training and IT infrastructure. It’s important to familiarize yourselves with the PCI DSS 12-step checklist, which includes firewall configuration, encrypting cardholder data and monitoring all network access, among other requirements. Regular security checks for vulnerabilities are a great way to ensure your customer data is secure and will save money and lower risks in the long run.
I have an integrated system, what should I be doing to ensure it is secure?
Implementing regular updates to any integrated software solutions is crucial. These updates often include critical patches for security and compatibility, and delaying them could lead to serious consequences, including HIPAA violations if you are in the medical industry, and failure to be PCI compliant, resulting in hefty fines and damage to your reputation. Keeping your software current ensures compliance and protects your business from costly penalties from your processor. Updates may also affect what information is being passed from your software during a transaction—if all the required data is not shared, you will be penalized.
Is there a third-party expert that can help me with this process?
If, given the high liability potential, you would prefer an outside expert ensures compliance, consider reaching out to an independent third party like Merchant Advocate. PCI noncompliance fees and other hidden and junk fees can be siphoning as much as 5% of your total net revenue, directly from your bottom line. An auditor can help with data security questions and analyze your merchant account to make sure you are not paying more than you need to—72% of businesses are overcharged.
In 2023, merchants paid more than $172 billion in processing fees, a 7.5% increase over the previous year. While some fees are the unavoidable cost of doing business, others can be reduced or eliminated if identified and negotiations with the processor are undertaken.
The ever-evolving landscape of credit card security and compliance underscores the need for constant vigilance to safeguard both your financial interests and customer data. Increasing awareness through education or an outside expert can lead to savings and peace of mind, empowering business owners to navigate the credit card payment ecosystem with greater confidence.