× Globe

We notice that you’re on our UK site, the version that serves your region is the US Eckoh site.

Go to US site. Stay on UK site

Important COVID-19 update Read More


The latest thinking from Eckoh

PCI DSS: What's the cost of doing nothing?
Wednesday, 11 April 2018

Most of us hate petty rules and red tape, and if there’s no penalty for non-compliance we tend to turn a blind eye. But is PCI DSS something that merchants can ignore — or does neglect come at a devastating price?

PCI DSS cost of nothing 900

There are many risky things in life that people sometimes 'get away with'.At the less serious end, there's cutting your own hair or attempting plumbing by following YouTube videos. At the deep end, there's going sailing without a life jacket or a communications system.

For merchants taking card payments, where does compliance with the Payment Card Industry Data Security Standard (PCI DSS) stand on the risk spectrum?

PCI DSS relates to how you process, store or transmit cardholder data. It's especially relevant if you take payments over the phone, web, mobile app or chat channels.

But is PCI DSS compliance an optional extra for merchants or a must-have? And if you decide to skip it altogether, what are the potential implications if things go wrong?

To get to the truth, it's important to bust three myths and look at the real costs behind them.

Myth #1: PCI DSS compliance is not a legal requirement, so it doesn't matter to us It's true, PCI DSS itself isn't enshrined in law, but it is required by the card schemes such as Visa, MasterCard or American Express. As the name suggests, the standard belongs to the Payment Card Industry Security Standards Council (the PCI SSC) and it provides a baseline of technical and operational requirements designed to protect cardholder data. It's for merchants to follow if they want to take card payments, and for the card schemes to enforce.

The cost of doing nothing: If you suffer a data breach, then the card schemes (through your bank) could fine you and restrict your ability to take card payments. Could you cope with the costs? Could you afford to run your business without accepting cards?

Myth #2: Criminals will never target us Maybe you think you don’t take enough payments for any hackers or rogue staff to be interested in stealing your customers' card data? This is a seductive argument but reality tells a different story. One well-known department store with only a handful of outlets fell victim recently. An employee stole 22 card numbers and made over £300,000 worth of fraudulent purchases. Put simply, if you handle cardholder data at all, you could be targeted.

The cost of doing nothing: As well as penalties from the card schemes, the law can get involved if customers are impacted. Fines can run into many thousands for small companies, and millions for larger merchants. There’s also the damage to your reputation and customer confidence.

Myth #3: We've got anti-virus and we patch our software, so we're safe Well done, that's one area shielded. But it's not enough.Once cardholder data enters your environment and systems, it will attract criminals. They'll hunt for weak links in your contact centre, recording systems, devices, paper document handling, network connections and more. Everything must be kept watertight. As software security tightens, criminals attack weaknesses such as people and telephone systems.

The cost of doing nothing:

PCI DSS compliance isn't a back-office issue or an IT tick-box exercise ... it's a business essential. Customers expect you to keep their sensitive data safe and they're increasingly aware of the issue. A recent survey found that consumers would be more likely to stop using a retailer (54%) than a bank (51%) if they were to suffer an online breach(1). A data breach will harm your reputation and customer loyalty. Plus, most countries impose legal requirements to protect customer data.

Crunching the numbers The cost of doing nothing about PCI DSS can be eye-watering if you experience a data breach. Fines, restrictions on taking card payments, lost business and a damaged brand reputation could follow. Don't be surprised if it threatens jobs too.

By doing nothing about PCI DSS compliance, individuals aren't just taking a risk with their own careers or money they could be affecting the livelihoods of colleagues, customers, investors and other stakeholders.

As US Deputy Attorney General Paul McNulty famously once said when talking about corporate compliance:

'If you think compliance is expensive, try non-compliance.'

Looking for a pain-free path to PCI DSS compliance? Download your free copy of our definitive guide to PCI DSS. You'll discover everything you wanted to know about secure payments but were too afraid to ask.

If you’re not convinced by PCI DSS compliance then read our jargon-free guide which explains the rise in CNP crime in contact centres, where you’re vulnerable and what you can do to combat the threat

Alternatively get in touch.

Sources: (1): Gemalto 2016 Data Breaches and Customer Loyalty Report;

About the Author

Tony Porter

Tony Porter

Head of Global Marketing

Tony has over 30 years’ experience in sales, marketing and business development and currently leads these activities for Eckoh in both the UK and US markets and across all sectors. Tony’s role focuses on helping contact centres to improve their customer engagement, making them convenient and secure for consumers to use. He understands the challenges organisations face around PCI DSS compliance and how to make the Omnichannel contact centre experience a satisfying reality. He is a regular speaker at events on topics such as PCI DSS, GDPR, contact centre technology, IVR solutions, self-service, secure payments, marketing and business development.

Connect with us on LinkedIn

Latest Blog Items

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

Interactive quiz: Is your CX a winner or loser in the COVID-19 era? Four simple questions will help you find out, and show you what to do next. #contactcentre #CX #customerexperience #resiliency bit.ly/3bje2qM
Eckoh (@Eckoh)

Eckoh (@Eckoh)

Eckoh wins a six-year Capita and TfL contract renewal worth £4m to provide services to the Congestion Charge as well as the new Ultra and Low Emissions Zone project. bit.ly/30UoGRo #securepayments #contactcentres
Eckoh (@Eckoh)

Eckoh (@Eckoh)

Planning to retain some of your home working agents when your contact centre moves back to the office? bit.ly/30sDSEU #securepayments #ContactCenter

  • icon facebook
  • icon twitter
  • icon linkedin
  • icon youtube