Every month, a major organization suffers a breach, customers seethe, media outrages, regulators impose substantial fines and we forget about it until a bigger breach occurs, this time the impact is grandeur and engulfs millions of users. This iterative cycle of a data breach is the reality of the connected world we live in.
Data Breach has affected every major online platform or service provider including Facebook, LinkedIn, Uber, Sony, and Quora. In the world’s biggest data breach, Yahoo suffered a loss of $300 Million in valuation and data of over 3 Billion people were compromised. With online payment getting seamlessly integrated into the modern fabric of life, the demands for safer Internet is bound to rise.
Players like American Express, MasterCard, VISA and Discover together have crafted regulations to protect the sensitive data of customers who use their cards for online shopping. PCI DSS compliance helps e-commerce stores, aggregators and other online players to safeguard their customers from fraudulent transactions.
What is PCI DSS Compliance?
In the simplest words, PCI DSS compliance can be defined as the set of regulations every enterprise that receives, stores or transfers card information must follow. PCI DSS compliance requirements are subject to timely upgrade. The upgrade is implemented in synergy with the evolving technology.
From standalone e-commerce stores to online marketplaces and from bidding sites to cab aggregators, everyone needs to acquire PCI DSS Compliance to safeguard customer’s card information from unauthorized access.
Why is PCI DSS important?
The Payment Card Industry Data Security Standard pushes merchants to follow a series of steps to safeguard customer’s credit or debit card against fraud payments. PCI DSS compliance also defines best practices in case of a data breach. When followed religiously these guidelines safeguard both cardholders and merchants.
A Juniper Research revealed, “The online payment fraud will reach $22 Billion in 2019 and by 2023, it will touch $48 Billion marks”. Another study by an eminent institution highlighted “e-commerce frauds cause loss of around $600,000 per hour”.
With customer’s hard-earned money going down the drain and online stores going bankrupt paying for the damage, it gets indispensable to have regulations that govern and protects the online payment space. PCI DSS, when implemented rightly, can offer 100% security against data theft and fraudulent transactions.
Some of the other Benefits a Merchant can cash upon with PCI DSS Compliance are:
- Improved Customer Confidence
- Offers a Safe Functioning Blanket
- Helps you Avoid Fines
Who is Subjected to PCI DSS? Is PCI a legal requirement?
The standard definition of PCI DSS holds every merchant who accesses, stores, transfers or operates on customer’s card detail liable for the data breach, making it compulsory for them to be compliant. While the standard definition engulfs everyone who receives payment but the technical definition is a little broad and complicated.
A business that usages United Payment Interface, where the customer is redirected to apps like Google Pay and PhonePe for completing transactions, doesn’t require PCI DSS Compliance. Some exceptions and rules allow a few merchants to function without PCI DSS Compliance but customers want flexible payment options like Credit/Debit Card and Net Banking, for which PCI DSS Compliance is a must.
Merchants can let go PCI DSS Compliance but to offer incomparable customer experience they must offer multiple payment options.
IS PCI a Legal Requirement?
Technically, PCI DSS is an industry requirement and not a legal requirement. Entities like American Express, MasterCard, VISA and Discover holds merchants contractually obliged for PCI DSS. Missing to furnish PCI DSS Encryption Requirements will lead to the imposition of hefty fines.
For instance, e-commerce or any online store that receives payments only through cash-on-delivery or card-on-delivery does not require PCI DSS Compliance and they will not be liable for any payment frauds. Also, features like cash on delivery leave merchants vulnerable too.
On the other hand, increasing data breaches and cyber-attacks are coaxing Senates into making compliances like PCI DSS a compulsion.
What happens if I’m not PCI Compliant?
96% of people surveyed have heard of Fintech and app-based payment system and by 2020, 90% of all smartphone users will have made a mobile payment. Such unprecedented growth has brought with itself a pool of opportunities for both Fintech Start-ups as well as Hackers.
Since hacking Fintech apps offer instant gratification in form of monetary benefits, it is the next target of hacking groups from around the world; unlike hacking Facebook, Sony and Quora offered hackers with personal details, which were later sold.
With merchants’ not fulfilling PCI DSS encryption requirements and PCI DSS firewall requirements, they are going to face the following consequences:
- Hefty Fees & Fines
- Economic Remedies such as Chargebacks
- Termination of Network Participation
- Blamed and sued for Data Breach by parties like American Express and MasterCard
- Customer’s Confidence & Brand Reputation
What is the fine for not being PCI Compliant?
Consequences of failing the PCI Data Breach test sometimes run into a million dollars. While monetary losses are tangible and are weighed the most in media but it is the loss of customer confidence that hurts a brand the most. 86% of people have agreed to never do business with a company after just one bad experience. By failing the PCI compliance test, businesses can lose their market share and even go bankrupt.
An enterprise can be fined somewhere from $5,000 to $100,000 per month for the time it takes the enterprise to get compliant. Once a company fails the test, the entities like American Express and MasterCard can collectively decide to ban the company from the network.
Since PCI DSS Compliance has 12 different requirements, the overall fine imposition depends upon the level of compliance failure. Businesses can be fined heavily if they are found to be in grave fault and can be left to go with small fines when they have failed mildly.
How many PCI DSS requirements are there?
As conveyed earlier, PCI DSS self-assessment is tough and certainly not the best way of getting PCI Compliant. The technical definition is vast and has multiple layers to it. Enterprises/merchants should engage with an expert without worrying about the PCI DSS Certification Cost because it is going to cost lesser than PCI DSS fines.
There are 12 PCI DSS Compliant requirements and they are:
- Protect your system with Firewall
- Protect stored Cardholder Data
- Maintain a Vulnerability Management Program
- Restrict Access to Cardholder Data by Business-need-to-know
- Implement Logging and Log Management
- Use Authentic Anti-virus and not Vendor Supplied Tools
- Encrypt transmission of Cardholder Data across all channels
- Assign Unique ID to Every Authorized Personnel
- Regularly Update and Patch System
- Conduct Vulnerability Scans and Penetration Testing
- Documentation and Risk Assessments
- Restrict Physical Access to Workplace and Cardholder Data
What does PCI DSS impact?
Government, Fintech Groups and Electronic Payment Facilitators are aggressively pushing for PCI DSS Compliance because lack of it can jeopardize everything entrepreneurs work for and customers ‘ hard-earned money too. Fulfilling PCI DSS password requirements and encryption requirements can help businesses avoids fines and offer competitive customer experience.
While failing compliance test can get businesses closed, its positive impacts are:
- PCI DSS promotes confidence among customers
- Pivot from earl stage SSL/TLS to technologies like SSH and IPSec VPN
- Can Hold Customer’s Credit/Debit Card Details to Facilitate Better CX
- Better ability to hash Primary Account Numbers and important details
- PCI Encryption helps businesses avoid the need of getting expensive Disk Encryption
- Promotion of healthy and safe handling of data at the workplace
- Safeguard Passwords of servers and employees, since PCI DSS rules out the possibility of password sharing
- Enhanced Physical Security to POS Terminals
- Improved Resistance Against Unauthorized Access tested via Penetration Testing
How much does it cost to become PCI Compliant?
The cost of getting PCI Compliant depends upon several factors. Bootstrapping companies that are offering basic services need lesser compliance while industry leaders need to get their workplaces optimized too. PCI DSS has 12 unique requirements as mentioned earlier hence the cost varies accordingly.
Apart from the PCI requirements the cost also depends upon the following:
- Your business type
- The size of the organization
- The security culture at the organization: If a company follows a unique id feature from early then the cost of PCI Compliance will come down
- The environment at the workplace
- PCI Capabilities of the Internal IT Team
- Earlier collaboration with Banks and NBFC
The standard pricing of PCI self-assessment, PCI password requirements and other types of compliance are:
- Self-Assessment Questionnaire: $50-$200
- Vulnerability Scanning: $100-$200
- Training and Policy Development: $50-$100 per employee
- Software and Hardware Updates: Starting from $1000
How to become PCI DSS compliant?
The pretext is very clear, to function under a safety blanket and offer to-notch customer experience, merchants and Fintech enterprises need to get PCI DSS Compliance at the earliest. Since PCI DSS is a set of regulations designed by electronic payment facilitators, you cannot get it done on your own.
Businesses today need to get in touch with a PCI DSS Certificate vendor to become compliant. PCI DSS Compliance Certificate provider can help Fintech start-ups and online merchants develop the requisite the infrastructure before applying for the certificate.
What all a PCI DSS Compliance Service Provider will offer:
- Building a robust infrastructure
- Develop a system that offers isolation of cardholders data
- Setting up a system that logs everyone who accesses customer data
- Carry on Vulnerability Assessment and Penetration Testing
- Install the requisite antivirus and firewalls
Basically, a PCI DSS vendor will help you fulfill all the 12 requirements of PCI DSS Compliance. Businesses can carry on PCI DSS self-assessment before getting in touch with vendors, this will help them speed up the process.
Benefits of going ahead with a PCI DSS Vendor:
Businesses try to save funds by trying to get PCI DSS self-assessment, which is certainly not the best way of going ahead. PCI DSS Compliance has 12 requirements and all of them are very intricate and require meticulous attention. A team of cyber experts is experienced in handling these requirements hence they are your best chance of getting PCI DSS Compliance.
The vendor can always hook you up with other compliances at affordable prices. Since vendors have worked in the past with businesses like you, they understand the problems that can occur, which coaxes them in taking the requisite measure while implementing.
A study predicts by 2020 every smartphone owner will have made an online payment, which proves online payment is the future. Businesses that are selling products through cash-on-delivery will have to bow down to the pressure and spend more. Now is the best time to invest in PCI DSS Compliance and save yourself from notice and market competition. Invest in compliances and you will have to pay for fines and damages.