The Merchant Processing Guru Tip# 29: So why is PCI so important anyway?
Before I get into the 12 requirements of PCI DSS Compliance I wanted to reiterate why this is so important in the first place. We still do not hear stories every evening on the news about data breaches, so is this even a real concern? The answer is a resounding YES! If you wait for a breach to happen to someone on your street or you begin to hear about it more often and plan to implement a PCI program as and when the threat becomes apparent, it just may be too late and it could cost you your business.
Anyone with a merchant account who processes any credit cards at all, even one a year, not only must be PCI compliant but is more vulnerable that you can even begin to fathom. The first reason to become PCI compliant is because when you sign a merchant agreement you are contractually responsible and bound to the acquirer to meet all requirements of PCI DSS. This means that if you do not become compliant within a certain amount of time you are in violation of the merchant agreement and you are fully responsible for any breach that occurs. Above all, a breach could be so devastating to a small business that the fines and required forensic audits alone could put you out of business. A forensic audit that is ordered by the associations to investigate how the breach occurred could cost as much as $10,000 or more, even if you are not at fault, and the fines from the Associations could be as high as $30 – $50 for each card number that was stolen and in most cases thousands of card numbers are stole, you do the math!
Another great reason is just to protect your customer’s cardholder data. Breaches occurred long before PCI compliance even existed and the increase in this crime over the years, along with the lack of response from the industry to safeguard against this has brought the Associations to regulate it and create a minimum standard for cardholder data security that everyone needs to adhere to. But the fact of the matter is that we should all be as concerned, if not more so, about protecting our customers data than we are about covering our backside if something were to happen…
The data breach of TJ Maxx in 2006 was easily executed from a laptop in a car in the parking lot. The criminals were able to easily access the stores wifi and download all the information that they wanted from their network that was completely open. Since then PCI DSS was established and most of these big box stores have implemented all the PCI requirements and now the hackers have moved on to smaller, easier targets for the most part. This leaves the small business owners who have not yet taken PCI compliance as seriously, vulnerable to attack.
If you are in the medical industry a PCI data breach is also a HIPAA violation, if you think about it a patient’s credit card data is patient information just like any other patient information. So if you have to comply with HIPAA, PCI DSS should be incorporated with your HIPAA policies and procedures and you should adhere to the 12 PCI requirements as fervently as to HIPAA regulations. Your practice may depend on it. Unfortunately, the medical industry is one of the industries that are seeing a huge increase in data theft.
Still not convinced? Here is a video interview of someone who experienced a data breach first hand and was brave enough to share and warn others about it: