Is achieving PCI compliance worth it? Wouldn’t it be cheaper and easier to just pay the fines?
When discussing complying with the Payment Card Industry Data Security Standard (PCI DSS), the question “is it worth it?” or “can’t we just pay the fines if we are non-compliant?” is raised. The cost of a PCI compliance program varies with the complexity of the environment and the merchant level. Depending on the size and complexity of the PCI cardholder data environment, a PCI compliance audit can cost up to USD $80 thousand dollars or more. Annual maintenance and certification can cost over one million US dollars per year. When funding is tight, eliminating PCI compliance can look like an easy way to balance a budget.
“Is PCI compliance worth the cost?” is a legitimate question, but the answer is often based solely on a comparison of the cost of a PCI compliance program against the estimated costs of non-compliance. A simple cost analysis is not the entire story, though. There are other factors that should be considered:
Compliance with PCI DSS reduces the risk of compromise
The PCI DSS requirements are well-known and provide a merchant with security practices and protections that, if implemented as intended, can help safeguard any Information Technology environment while reducing the risk of a data compromise, potentially saving hundreds of thousands, if not millions of dollars.
Compliance with PCI DSS is a contractual requirement
Contractual compliance with PCI DSS is in two forms:
When a merchant enters into an agreement with a merchant bank or acquiring bank, there is always a clause that states the merchant will comply with PCI DSS requirements and be able to prove compliance annually. If a merchant cannot provide proof of compliance to their merchant bank, a breach of contract can be triggered. This is when lawyers on both sides come in and when the fun begins, including the merchant losing the ability to accept payment cards to collect payment, potentially losing customers and revenue from sales.
Customers may include contractual language that the merchant complies with PCI DSS in order to provide services to the customer. Again, non-compliance can lead to a breach of contract situation where the customer may cancel the contract or withhold payment for services.
Compliance with PCI DSS is becoming a regulatory requirement
In some jurisdictions, compliance with PCI DSS is included as a regulatory requirement. That is, by law, the merchant must be able to show compliance with PCI DSS requirements. The state of Nevada passed a law in 2010 (S.B. 227, NRS 603A.215) that requires businesses to comply with PCI DSS. Non-compliance with PCI DSS in the state of Nevada constitutes a deceptive trade practice (NRS 603A.260) and exposes a non-compliant business to being liable for damages if a breach occurs. Other states have incorporated some of the PCI DSS requirements and language into their laws concerning the handling of payment card data.
Compliance with PCI DSS may reduce fines should a breach occur
If a merchant experiences a breach of payment card data and can show that at the time of the breach they were in compliance with PCI DSS, then fines may be reduced or eliminated.
Non-Compliance with PCI DSS if a breach occurs
A merchant that is not compliant with PCI DSS in a breach situation will be required by the payment brands and merchant banks to achieve the highest level of compliance (Level 1). The expense to become compliant required by the merchant banks and payment brands will certainly exceed the savings of being non-compliant and simply paying the fines.
Apart from any fines, it should be kept in mind that the average cost of a data breach is USD $3.86 million dollars (Ponemon Institute Cost of a Data Breach Report 2020), per incident. This includes costs related to the detection of a breach, breach notification, lost business, and post-breach response.
While it may appear that not being compliant with PCI DSS is cheaper, easier and low risk, the benefits of being compliant outweigh the cost, time, and effort of reaching compliance as implementing the requirements provide a foundation for applying best security practices.
Conclusion
Balancing risk and budget is always difficult. Funding for compliance always encounters the question “But what if we are lucky and don’t have a breach? We could save up to a million dollars a year.”. If you are a merchant that has a lot of payment card data, you may be lucky for a while. Good luck can turn to bad luck quickly in the cyber security world. It is like betting - do you want to expose your company to a possible expense of nearly 4 million dollars by eliminating PCI compliance?
3Factor Compliance Services can provide PCI DSS certified QSA assessments and also determine the risks and costs related to PCI compliance to ensure your PCI compliance program is effective and efficient.