PCI Compliance – The Risks with Answering “Yes”

If PCI Compliance does not scare you, maybe it should. The Gemalto Data Breach Index reported 1,540 data breaches in 2014 totaling over a billion records.  That equated to 32 records lost or stolen every second.  The Nilson Report states worldwide losses due to credit/debit card fraud totaled $16.3 billion in 2015.  That is some pretty scary stuff.                                                                                       

So the 16.3 Billion Dollar question is….  Who is liable for all those losses?

It could be you, the merchant.  Legally, the credit card company, credit card processor and the merchant (you) share this responsibility.  However, the liability shared by the merchant is increasing and it is probably intentional.  Because the PCI Security Standards Council was founded by the major credit card and processing companies and essentially benefits those organizations. Though their dictated standard’s primary objective is to secure account data, it is clear that they also transfer more of the fraud loss liability to the merchant.

That leads us to our main question…  By answering “Yes” to all the PCI Compliance questions, have you exposed your organization to additional risks and liabilities? 

We understand, you have to answer “Yes”.  The entire process is treated as a formality, but did you really understand some of the questions?  Can you honestly state you are truly compliant? 

If noncompliant, are you more liable in the event of a security breach?  Sadly, that answer is also a “Yes”.

Look no further than the security breach at Schnucks Markets for a real-life example.  In 2013, the Schnucks data breach exposed 2.4 million credit cards.  In addition to the public image damage, Schnucks was subjected to a class action suit and was also sued by their credit card processor.  The class action suit was settled for $2.1 million.  Another $500,000 went to the Credit Card Processor, due to a contractual limitation and the fact Schnucks was truly compliant.  If found noncompliant, Schnucks would have been exposed to an additional $3 million charge.  Due to the court’s ruling in favor of Schnucks and the $500K contractual limit, legal experts expect new contracts have or will contain verbiage that either increases or eliminates these limitations. 

So, what can you do?  You can answer “Yes” to all those PCI Compliance questions.  You sort of have to.  However, you better know why and that your technology and related processes, policies and procedures support those answers.

So, how can Lazerware assist?  

Founded in 1990, Lazerware is a technology services organization.  They offer a variety of value-added professional services to their customers, including a PCI Compliance Risk Assessment.