PCI DSS compliance and payment card security – what’s the cost of doing nothing?

PCI DSS compliance and payment card security – what’s the cost of doing nothing?

Amazingly, a significant number of companies are still doing the bare minimum to secure card payments. The days of being asked to read out your card details over the phone should be long gone, but I know from my own experience and from talking to others that consumers are still regularly being put in this uncomfortable position of broadcasting their card information to strangers.

So, why are companies reluctant to invest in real payment card security? At its heart, it’s because the perceived cost of taking action outweighs the perceived cost of doing nothing. This is a big mistake as the costs of doing nothing are huge (and continuously growing), as I’ll discuss in this blog.

Compliance and security are not the same thing

Every day I come across examples of large companies who are shockingly still taking card payments from their customers in ways that are neither secure nor PCI DSS compliant.

Then there’s another group of companies who know that they need to do something, so they’ve nodded in the direction of compliance. For example, perhaps they’ve installed a makeshift solution such as a pause and resume system and consider that to be sufficient.

A key thing here to understand is that compliance and security are two different things. A pause and resume system can be compliant with PCI DSS however it’s definitely not secure. Your agents may be stopping and starting the call recording, so the card details are not being recorded and stored, but they themselves are still exposed to the callers’ card details. A pause and resume system still leaves you exposed to potential breaches caused by your agents’ actions, and still leave you liable for the financial and administrative costs associated with follow-up PCI audits, which we’ll highlight later.

Payment card data breaches are more common than ever

Over the last four or five years since the start of the pandemic, the number of card payments has skyrocketed. More consumers than ever before are shopping remotely and expecting to be able to make secure payments online or over the phone. At the same time, the number of breaches has also shot up. Harvard Business Review reports a 20% increase in data breaches between 2022 and 2023. Organizations such as Warner Music Group, Equifax, Target and Adobe have all fallen victim. IT Governance reports that over 30 billion data records have been breached already in 2024, and that number is rising all the time.

The cost associated with a breach can run to millions

And it’s not just that the risks are increasing all the time. So are the costs. IBM estimates that the global average cost of a data breach in 2023 was $4.45 million, and that the savings to be made by organizations that secure their data effectively equate to $1.76 million. These are huge numbers and the cost of investing in a payment card security solution such as Eckoh’s is a drop in the ocean compared with the cost of a breach.

At Eckoh we talk to many companies who’ve experienced a breach or poor audit and want to know how we can help them secure their data going forward. They’re shutting the stable door after the horse has bolted. The costs of a breach aren’t just the cost of fines or other regulatory costs (which can be massive just on their own). There’s also the reputational cost. The cost of potential lost business. The cost of damage to your brand that could take years to repair. According to findings from a study conducted by Delinea, 65% of individuals affected by a data breach expressed a diminished level of confidence in the breached organization, potentially leading to long-term impacts on customer allegiance. Much better to invest in a payment card security system before you need it.

Not offering secure payment options can damage your brand

Even if you’re not subject to a breach, there’s still a cost associated with not effectively securing your customers’ card data. Consumers these days expect companies to take payment card security seriously and are ever more reluctant to give their card details to a company that clearly doesn’t. Nothing signals that you don’t take card security seriously than asking a customer to read out their card details to an agent. More and more consumers will shop elsewhere if they’re asked to do this.

And to a customer it makes little difference if you have a pause and resume system in place – as far as they’re concerned, they’re still being asked to read out their card details to a stranger and it’s obvious that the agent will be exposed to those details - not to mention those around them if they are in a public setting. A secure payment solution such as Eckoh’s sends a very clear signal to customers that you take their payment security seriously. Increasingly, that’s likely to be the difference between someone buying with you or going elsewhere.

A secure payment solution also saves you money

Most companies view payment card security systems purely as a cost to the business, but that’s a mistake too. In fact, investing in a good payment card security system such as Eckoh’s will immediately start saving you the time, money and administration costs associated with a PCI DSS audit. Anyone who’s a level one service provider has to be audited at least once a year. That process is hugely time consuming, typically taking a minimum of four weeks and the associated administrative burden on the business is massive, so there’s a significant cost associated with being audited.

A secure payment system such as Eckoh’s descopes your contact center entirely from PCI DSS, removing this administrative burden at a single stroke. Come audit time you can count on huge time and energy savings when we pass along an Attestation of Compliance to your auditor. This is one of the benefits that our customers most appreciate.

How does it work?

Eckoh sits between your telco and payment processor and your customers. In effect we wrap our arms around all your existing vendors and processes to secure your customers’ card data ensuring none of your customer’s payment info ever touches your networks or systems. When a customer calls in, they’re invited to enter their card details using their phone keypad or via secure speech recognition. The agent can’t see or hear customer card information, but the line is still active so they’re able to communicate with the customer throughout the transaction without being put on hold or transferred away. From the customer’s point of view the process is quick and easy and they feel supported throughout. From the agent’s point of view there’s no significant change to their workflow, so they’re not slowed down at all, they don’t have to learn a new way of doing things, and there are no additional training costs. It’s a win-win for customers, agents, and business security leaders.