By Shekar Swamy, co-founder Omega ATC
PCI Compliance can be a hassle. However, the real issue to businesses and retailers centers on perception of expense. What is the cost of compliance and what do retailers truly get in return?
To begin with, let’s unmask a few myths around PCI Compliance.
- PCI compliance is too expensive.
- PCI compliance is getting difficult.
- PCI compliant merchants don’t get breached.
1. There are three types of costs involved.
- Infrastructure updates costs which include addition of technologies, hardware and software. This essentially means systems management and data security. This can be done either internally or with the help of a Managed Security Services Provider (MSSP). Partnering with an MSSP can reduce cost and remove the need to add additional specialized staff.
- PCI Compliance related costs for hiring a Qualified Security Assessor (QSA) and going through the process of getting an Attestation of Compliance. This is applicable to Level 1 and Level 2 merchants.
- Ongoing compliance costs which means keeping up with all the elements of the PCI DSS requirements to ensure the retailer’s data is secure and compliant, at any point in time. Remember, there are approximately a hundred additional controls in PCI DSS 3.0.
2. PCI compliance is getting difficult.
- PCI compliance can be very challenging if retailers wait to start their technology upgrade work after a breach, or after they see a letter from their acquiring banks to show proof of compliance.
- Technology upkeep, another necessity of compliance is hard. But automation can ease that significantly. It is important to note that automation removes the need to keep hiring.
- Proving compliance the first year is always difficult. But this gets significantly easier in the following years.
3. PCI compliant merchants don’t get breached.
- There are no 100% guarantees. Breaches happen more easily in environments that do not have secure data security measures.
- Technologies may be in tact but people can falter. Any accidental error or an oversight could open up the card data environments to breaches. Some acts of violation may also be intentional.
- An important point to remember is that physical security is as important as data security.
Moving on to the expenses of non-compliance
- Businesses are charged a fee every month by their processing banks for non-compliance. This is mainly to nudge them to get compliant and follow payment card industry data security standards. Although it might not look like a significant fee, this can add up very quickly.
- Also, the fee is not a nominal fee across the board for every business. Processors are at will to charge what they think is fair.
- Card brands charge significant fines if a breach occurs and if they are not shown proof of compliance with all requirements of PCI DSS.
- Businesses can lose their reputation with customers and their partners. How would you account for this in actual dollars?
- The cost of putting in place technologies after a breach can be significantly higher depending on the gaps and time available. If remediation takes time and it will, the fines can extend over a longer period of time.
- Loss of productivity during remediation spent towards enforcing rules and training employees can be large as well. This expense may not be obvious right away.
- The most noticeable cost of non-compliance is if an acquiring bank refuses to process card payments after an entity is breached. Customers, whose credit cards were compromised, may not continue doing business with the merchant. And, this would be a huge revenue loss for the retailer.
A true comparison of compliance over non-compliance might show that initial costs in getting data security in place appear high. But they pale in comparison with non-compliance expenses. The most tangible benefit is the fees and fines that retailers would otherwise have to pay that can multiply over time especially for a breached entity. Personal information attached to a credit card transaction is the most valuable information of all to consumers. They need to have the trust and confidence that their information is protected by their retailer.
Shekar Swamy is a familiar face to customers and partners, and has cultivated these invaluable relationships since co-founding Omega ATC in 1991. An expert in the field of remote and mobile computing, Shekar’s experience includes over 25 years in the information technology sector, dealing with the unique challenges of developing and deploying systems for remote users in retail chains and sales forces. With the launch of Omega ATC in 1991, Shekar’s company became one of the first providers of centralized retail systems management and security, focusing on managing systems and communications at remote sites. Today, Omega is a widely recognized provider of industry-leading data security solutions that accelerate retailer’s compliance with PCI DSS.