The Risks of Not Reaching PCI Compliance

What makes personal information so valuable? Is it really all that easy for a hacker to not only get a hold of your sensitive information, but to turn around and use it and/or otherwise profit from it?

The unfortunate truth is: yes. It is exactly that easy.

And in this case we're not talking about those nifty e-mails that seem to show up on occasion from your long lost aunt or uncle who was (wonder of wonders) somehow distantly related to Nigerian royalty and, with no other heirs, you have but to hand over all your personal information to the "Bank" to collect your fortune.

No. That's not what we're talking about. There are plenty of innocuous ways that an innocent can lose their personal information. Ways that PCI compliance was intended to eliminate.

In recent history there have been a number of security breaches that have caught the attention of the general public. Topmost on this list would likely be the TJX case. From July 2005 hackers were able to spend more than 18 month exploiting various weaknesses to steal more than 100 million credit card numbers.

And it didn't even stop there. Due to a lack of security measures that would have otherwise been required by PCI compliance, these hackers were also able to steal the information that was collected with returned items. This kind of data is often even more sensitive as it involves very personal information.

What did all this mean to the TJX company? It meant, according to some estimates, that they will suffer financial damages in the range of 118 million dollars. Other estimates have, when they consider the costs of legal fees, call centers, and other peripheral expenses, pushed that number past a billion.

Will that kind of damage be done to you if you suffer a breach? Well, that depends on the size of the breach and whether or not you were PCI compliant at the time. But you could very easily be looking at hundreds of thousands of dollars in fines. In fact, you could be hit for up to 500,000 dollars per incident.

But the real risk of not reaching PCI compliance is not, believe it or not, the financial risks. Well, it is, but it's the long term financial risks and not the immediate fines that are the real problem. Many companies will survive and fight their way through immediate financial difficulties, but the damage to their reputation could be almost irreparable. If you are going to fight your way out of financial troubles, that reputation might be all you have to stand on. If it's too wobbly, well, you're going to tip right over.

So what does PCI compliance gain you? Safe Harbor, for one thing. This is protection from certain PCI related fines if you should happen to suffer a breach while compliant.

More than that, though, is the ability to offer your customers a safe environment in which to conduct their business. As awareness grows about the necessity of secure transactions, your customers are going to demand PCI compliance.

Could you simply deal with these issues on your own? After all, aren't many requirements of the PCI DSS simple common sense items?

Well... yes and no.

It is true that much of the PCI DSS is common sense, should-be-standard procedures. That does not, however, mean that they are simple or cheap to implement. And as such, they often do not get accomplished.

For an example, we turn back to the TJX company. A large company with huge operations and intelligent people creating policies and procedures. However, it turns out that they were transmitting unencrypted data over their networks where anyone could read what was being sent. It's a simple and very necessary component that was somehow overlooked.

PCI compliance was developed to help merchants catch and take care of these oversights before they become real problems. And while the cost of PCI compliance may be high, the risk of non-compliance is far greater.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about PCI compliance, or how increased information security can help your business, visit Braintree Payment Solutions.