The Cost of Compliance: Understanding Fees, Fines, and Other Charges

by Darwin on May 2, 2017

If you accept credit card payments from your customers, then you are undoubtedly familiar with the concept of PCI security compliance. The Payment Card Industry established the PCI Data Security Standards (PCI DSS) as a means of ensuring that all companies involved with the collection and handling of payment card data maintain a secure environment that protects card data and customer finances.

PCI DSS standards apply to all companies that accept payment cards, but how stringent the standards are – and the requirements for compliance – vary according to the number of transactions processed each year. For instance, companies that process fewer than 1 million Visa transactions per year are considered Level 4 merchants, while those who process 6 million or more Visa transactions per year are PCI level 1 merchants. These distinctions are important, because the more transactions you process each year, the more you will spend on compliance costs.

Proving Your Compliance

Without even getting into the costs of establishing security controls to maintain PCI compliance – which can reach well into the hundreds of thousands of dollars – businesses can expect to invest in compliance-related activities.

For example, while Level 4 merchants are allowed to conduct a self-assessment questionnaire to gauge compliance, Level 1 merchants must undergo a QSA-led assessment every year. These assessments, conducted by an independent third party, can cost anywhere from $20,000 to $75,000 depending on the complexity of your business and the level of work that needs to be done. Should the assessors discover issues that require remediation, you can expect higher costs.

However, as much as a QSA costs, a data breach and noncompliance will cost more.

Costs of a Data Breach – And Why You Want to Comply

The idea behind PCI DSS is to prevent data breaches. What many fail to realize, though, is that these are only a set of minimum standards; keeping cyber-attackers out of your business requires going above and beyond the standards and making security a priority. That being said, complying with PCI DSS reduces your risk of a breach considerably.

This is good news, because a data breach can cost your business – big time. According to the 2016 Data Breach Study by the Ponemon Institute and IBM, the average cost of a data breach last year was about $7 million, or $221 per stolen record. These include direct costs (an average of $76) such as legal fees and offering credit monitoring to affected customers, as well as indirect fees ($145) related to brand damage and lost customers. Data breach costs can also include penalties paid out to victims, as well as fines paid to banks and major credit card brands, as well as the costs associated with the investigation and reporting of the breach. For example, in 2011, a Massachusetts restaurant group received an $110,000 civil penalty for a data breach that took place in 2009. In addition to the other costs associated with the incident, the restaurants were on the hook to pay those penalties to the Commonwealth of Massachusetts.

Noncompliance Costs

In addition to the costs associated with a data breach, the simple act of noncompliance can lead to major expenses for your company, especially in the event of a breach.

For starters, many credit card processors will charge a monthly fee if you cannot prove compliance. These fees can range from $5 to $30 per month, and are simply meant as a reminder that you need to submit documentation related to your compliance. These fees are different than fees charged for compliance support or data breach insurance, which are usually optional.

Should your company experience a breach, the credit card issuers charge even more fees. Depending on the severity of the breach and the results of the investigation into the breach, you could be facing fines of $50-$90 per cardholder that was compromised. In a major incident, these costs add up quickly. That’s not even accounting for the other costs, including civil litigation, damage to your brand, and the likelihood that the card issuers(s) will suspend your business from accepting their card until you remedy the issues that led to the breach.

Thus, as you can, while there are significant costs associated with PCI DSS compliance, the consequences of not complying are even greater. In fact, a data breach can effectively sink a small business, and do lasting damage to a larger one, so it’s important to take compliance seriously and adhere to all the guidelines to protect your bottom line.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: