The latest thinking from Eckoh

PCI DSS: What's the cost of doing nothing?
Wednesday, 11 April 2018

Most of us hate petty rules and red tape, and if there’s no penalty for non-compliance we tend to turn a blind eye. But is PCI DSS something that merchants can ignore or does neglect come at a devastating price?

PCI DSS cost of nothing 900

There are many risky things in life that people sometimes 'get away with'.At the less serious end, there's cutting your own hair or attempting plumbing by following YouTube videos. At the deep end, there's going sailing without a lifejacket or a communications system.

For merchants taking card payments, where does compliance with the Payment Card Industry Data Security Standard (PCI DSS) stand on the risk spectrum?

PCI DSS relates to how you process, store or transmit cardholder data. It's especially relevant if you take payments over the phone, web, mobile app or chat channels.

But is PCI DSS compliance an optional extra for merchants or a must-have? And if you decide to skip it altogether, what are the potential implications if things go wrong?

To get to the truth, it's important to bust three myths and look at the real costs behind them.

Myth #1: PCI DSS compliance is not a legal requirement, so it doesn't matter to us
It's true, PCI DSS itself isn't enshrined in law, but it is required by the card schemes such as Visa, MasterCard or American Express. As the name suggests, the standard belongs to the Payment Card Industry Security Standards Council (the PCI SSC) and it provides a baseline of technical and operational requirements designed to protect cardholder data. It's for merchants to follow if they want to take card payments, and for the card schemes to enforce.

The cost of doing nothing: If you suffer a data breach, then the card schemes (through your bank) could fine you and restrict your ability to take card payments. Could you cope with the costs? Could you afford to run your business without accepting cards?

Myth #2: Criminals will never target us
Maybe you think you don’t take enough payments for any hackers or rogue staff to be interested in stealing your customers' card data? This is a seductive argument but reality tells a different story. One well-known department store with only a handful of outlets fell victim recently. An employee stole 22 card numbers and made over $400,000 worth of fraudulent purchases. Put simply, if you handle cardholder data at all, you could be targeted. The cost of doing nothing: As well as penalties from the card schemes, the law can get involved if customers are impacted. Fines can run into many thousands for small companies, and millions for larger merchants. There’s also the damage to your reputation and customer confidence.

Myth #3: We've got anti-virus and we patch our software, so we're safe
Well done, that's one area shielded. But it's not enough.Once cardholder data enters your environment and systems, it will attract criminals. They'll hunt for weak links in your contact center, recording systems, devices, paper document handling, network connections and more. Everything must be kept watertight. As software security tightens, criminals attack weaknesses such as people and telephone systems.

The cost of doing nothing: PCI DSS compliance isn't a back-office issue or an IT tick-box exercise ... it's a business essential. Customers expect you to keep their sensitive data safe and they're increasingly aware of the issue. A recent survey found that consumers would be more likely to stop using a retailer (54%) than a bank (51%) if they were to suffer an online breach(1). A data breach will harm your reputation and customer loyalty. Plus, most countries impose legal requirements to protect customer data.

Crunching the numbers
The cost of doing nothing about PCI DSS can be eye-watering if you experience a data breach. Fines, restrictions on taking card payments, lost business and a damaged brand reputation could follow. Don't be surprised if it threatens jobs too.

By doing nothing about PCI DSS compliance, individuals aren't just taking a risk with their own careers or money — they could be affecting the livelihoods of colleagues, customers, investors and other stakeholders.

As US Deputy Attorney General Paul McNulty famously once said when talking about corporate compliance:

'If you think compliance is expensive, try non-compliance.'

Looking for a pain-free path to PCI DSS compliance?

Download your free copy of our definitive guide to PCI DSS. You'll discover everything you wanted to know about secure payments but were too afraid to ask.

If you’re not convinced by PCI DSS compliance then read our jargon-free guide which explains the rise in CNP crime in contact centers, where you’re vulnerable and what you can do to combat the threat.

Sources: (1): Gemalto 2016 Data Breaches and Customer Loyalty Report;

About the Author

Todd Funk

Todd Funk

Senior Executive Vice President. Todd has more than 25 years experience in contact centers, including 20 years at the senior management level, he totally understands how to work effectively with customers, ensuring they get the most out of their investment in our solutions. Most recently, prior to Eckoh, Todd was the CEO of PSS. Todd's role at Eckoh involves overseeing the company's key frontline functions at a strategic and operational level, with a focus on Customer Contact Solutions. This includes the professional services, project delivery activities, solution integration and support services as well as other areas of the company's operations.

Connect with us on LinkedIn

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

Do you feel you’re being forced into upgrading your contact centre to the next, new shiny version? Even after all the time and investment you’ve put into it? No, it doesn't have to be that way. There is an alternative...…
Eckoh (@Eckoh)

Eckoh (@Eckoh)

Ineffective solutions could be wasting your time and money. What are these ineffective solutions and what can you do to fully de-scope your contact centre. Read the latest blog and find out how to prevent the risk of fraud and the impact of data breaches.…
Eckoh (@Eckoh)

Eckoh (@Eckoh)

In the fourth part of our 'Contact centre of the future' series, Ashley Burton, Head of Product at Eckoh, reveals how customers will make purchases via the Contact Centre in our latest blog. Click the link and find out more..… #payments