In January 2009, Heartland Payment Systems discovered a data breach in their system. At the time, the company was processing more than a million payment card transactions for 175,000 small and mid-sized retailers every month. The data breach affected 134 million credit cards.
After the discovery of the breach, the company was found out not to have complied with the Payment Card Industry Data Security Standard (PCI DSS). As a consequence, the firm was banned from processing payments for credit card providers for five months. The firm also incurred a loss of $145 million, which was paid to compensate the affected parties.
What is the Payment Card Industry Data Security Standard (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) is a standard established to safeguard credit card data. Every organization that handles any form of credit card data is expected to comply with the standard.
Why Retail Companies Need to Comply with PCI DSS
Retail companies are frequently in contact with customers’ credit cards that contain personal information such as:
- The customer’s credit card account number
- The verification values of the credit card
- The cardholder’s name
- The expiration date of the credit card
Access to this data makes the firms highly susceptible to credit card fraud.
Most retailers are small or mid-sized companies that lack IT security measures to deal with data fraud vulnerabilities. Moreover, many of these retail firms run online shops where Card-Not-Present (CNP) transactions are common. Such transactions are susceptible to fraud.
CNP fraud occurs when cardholder data is stolen and used illegally. The fraud is prevalent in instances where the cardholder doesn’t need to present the card physically to complete a payment transaction. Online payment transactions don’t necessarily require the credit card to be verified physically, which makes it hard for the merchant to detect any signs of fraud.
CNP fraud is on the rise and is the most common type of credit card fraud. The fraud is 81% more likely to happen compared to card-present and in-store fraud. Losses from credit card fraud were reported to be at $21 billion in 2015, and are expected to rise to $31 billion by 2020.
US retailers are especially vulnerable to CNP fraud, given that the country has the highest number of e-commerce stores. It is estimated that 77% of US retailers accept credit card payments online.
When such fraud occurs, your retail company bears the loss. A notable example is the hacking of Heartland Payment Systems that occurred in 2008. The hacking affected multiple types of credit cards and exposed credit card data of more than 130 million customers. The firm spent more than $140 million to stop the breach and $60 million and $3.5 million to settle with Visa and American Express respectively. The firm also incurred legal fees of about $26 million.
As a retail company, data breaches negatively impact your company’s bottom line, especially because many retailers’ profits are small. One way that you can avoid such effects is to be PCI-compliant. According to a PCI compliance report complied in 2015, companies that complied with PCI DSS standards did not experience data breaches.
Being PCI compliant is critical for the following:
- Protect your customers’ credit card data from unauthorized access and CNP fraud
- Prevent possible litigation by credit card owners and companies
- Escape high legal fees resulting from litigation
- Avoid penalties ranging from $5,000 to $500,000 due to noncompliance with PCI standards
- Avoid revocation of your ability to accept credit cards
- Avoid a bad reputation, which increases customer loyalty to your business
How Your Retail Company Can Become PCI Compliant
So, what does being PCI-compliant mean for your firm?
The PCI Security Standards Council, which came up with the PCI standards, has four compliance levels for retailers and merchants. Their annual e-commerce transactions determine the level of compliance that retailers are expected to meet.
Retailers found to be non-compliant with PCI standards, or that suffered a data breach in the past may be assigned a higher compliance level.
- The first level of PCI compliance is for retailers whose e-commerce transactions are higher than $6 million
- The second level is for retailers with $1-6 million annual online transactions
- The third level is for retailers processing $20,000-1 million e-commerce transactions annually
- The fourth level is for retailers with less than $20,000 yearly online transactions
Retail companies at level 1 compliance are expected to contract qualified internal or External Security Assessors to evaluate and provide them with a PCI standards compliance report.
Level 2 to 4 retailers are expected to fill an annual Self-Assessment Questionnaire (SAQ) relating to the capture, storage, and transmission of credit card data. The retailers also need to contract an approved security assessor vendor to perform regular network scans.
The Bottom Line
PCI compliance isn’t a one-time undertaking. Retailers are expected to revisit the standards and comply with them annually. This is why you should set aside a budget for PCI compliance. Moreover, putting up measures such as credit card tokenization, data encryption, fraud filters can help to keep cardholder data safe.
This is an article provided by our partners network. It does not reflect the views or opinions of our editorial team and management.