The news of a PCI breach is just the start of a host of issues – all of which can be crippling to a business.
Many CIOs and compliance officers may complain about the burden that the Payments Card Council imposes on them, but the rules exist for good reason.
Like most issues involving compliance, card data rules are more effective as a preventative measure. Once a breach has occurred the problems really start multiplying.
The most recent Ponemon Fall Out report found that 45 per cent of data breaches involved the loss of card payment data. These digital details are so intrinsic to modern life that they have lasting repercussions for all involved. Here are five ways your
costs will soar if you do not keep your PCI compliance maintained and you become a victim of a hack.
Frantic checking of the existing system
Stemming a leak can be expensive and we're not just talking about calling a plumber. The Ponemon research showed insiders and third parties are most often the cause of the data breach, but 44 per cent of the respondents said they were unable to determine
the root cause of a breach. On a positive note, companies believe that human risk factors are easier to control than outside influences.
What is clear is that a breach will stop you in your tracks. Fifty per cent of respondents said the most negative consequence of a breach was the loss of productivity, as key employees are diverted from their usual roles to help a company resolve the incident.
Making changes to the system
When something goes wrong, the upheaval can be immense.
Following a breach, senior leaders at the organisations involved believe they are at their most vulnerable. Eventually lessons will be learned that may improve privacy and data protection practices, but why get bit before you stop tempting the dog?
The emphasis in the new PCI DSS 3.0 requirements is on descoping. PCI compliant cloud solutions may now become the first choice, as more and more organisations look for the most effective solution straight away, rather than waiting until something goes wrong.
Retraining staff
Changes are not just made at an IT level. In the aftermath of a data breach, employees become more careful around data and 61 per cent believe they are more aware of the consequences of failing to protect sensitive and confidential information. In order
for this to be the case, training and awareness is required.
Reputational damage
This may be less tangible than other costs following a data breach, but it can be the most significant long-term consequence. A recent Experian-sponsored study of 850 executives found data breaches can be responsible for losses of between $184 million and
over $330 million in the value of a brand.
The research came to the conclusion that breached brands lose on average 12 per cent of their value. This is not surprising as PCI compliance is concerned with keeping consumers' personal details out of the hands of criminals, so if your company lets them
down, it is only natural they will distrust you in the future. Of the 843 senior-level professionals questioned for the survey, 73 believe their brand image and reputation are "inextricably linked" and less than half of the respondents said their organisation's
brand image and reputation could ride out a data breach.
"A solid reputation is a company's greatest asset and it is therefore imperative that business leaders take precautionary steps to protect themselves, their customers, their employees and their intellectual property against data breaches," said Ozzie Fonseca,
director at Experian Data Breach Resolution.
PCI fines and increased charges
Lastly, there are the card companies' own sanctions to consider. For companies that rely on card payments such as contact centers, these can be crippling and include:
- A fine of $500,000 per data security incident
- Ongoing daily fines of up to $50,000 for non-compliance with published standards
- Liability for all fraud losses resulting from compromised account numbers
- Further liability for the cost of reissuing cards associated with the compromise
- Suspension of the company's merchant accounts