Although taking data security beyond PCI Compliance may seem unfeasible and out of reach, the financial consequences of a breach or hack far exceed the cost of exceptional security measures. ForbesBrand Voice, Jeremy Lacy, points out key consequences of failing PCI Compliance.
Ignorance can be quite blissful. For instance, I had never really considered how credit card fraud could affect me. Not until I received a call from my credit card company.
The credit card representative asked if I had visited Los Angeles and San Diego in the last 10 days (I live in Texas). When I told the rep that no, I indeed had not been in California, my perspective on credit card fraud changed forever. I learned that an online purchase I had made a few weeks before had been hacked and my credit card information compromised. But instead of going out and buying a TV or big money item with my credit card number, the criminal bought several small items (DVDs, makeup, movie tickets) in the southern California area. The logic was to see if I caught on that I was being robbed before they went out to buy the big stuff.
After going through the hassle of closing my credit card account, opening a new one, changing my online automatic payments, and all the rest of it, I got to thinking. I didn’t like the consequences of the hack. But what about the online company I had purchased from? What about any company that gets hacked?
You see, if your company processes credit or debit card transactions, you need to comply with PCI DSS: the Payment Card Industry Data Security Standard. But what if you fail to comply – even if it’s a completely unwitting error on your part? Well, here are 7 consequences you can expect … and they are a lot more serious than the petty irritations I experienced from having my card number stolen. After all, with me, a criminal could steal thousands; with a company, he could steal millions or even billions.
Consequence #1: Compensation Costs
Trust needs to be rebuilt. You may have to reassure people with compensation in the form of free credit monitoring and/or identity theft insurance, such has been done by Michael’s. It’s free for your customers … but it’s not free for you.
Consequence #2: Legal Action
Yep – lawsuits are commonplace nowadays. And hack victims are quick to file suit. Win or lose, legal action costs big time bucks. Some of you may recall, in 2007 TJX (the parent company for TJ MAXX, Marshalls, Home Goods, and Sierra Trading Post) paid in the ballpark of $40.9 million for a data breach that exposed more than 100 million cards to potential fraud. That was almost 7 years ago, and since then, data breaches have only gotten more complicated and costly.
Consequence #3: Bank Fines
The good news: if customers’ credit cards are actually used to purchase stuff fraudulently, you don’t have to foot that bill; the banks do the reimbursing. The bad news: the banks pass on those costs to you in the form of fines.
Consequence #4: Federal Audits
If you are a big enough player on the commercial field, the Federal Trade Commission, which has the task of monitoring organizations who have failed to comply with PCI and thereby affected large numbers of U.S. citizens, may want to audit you regularly from here on out. They also may decide to fine you themselves. And with federal audits come very strict requirements for compliance.
Consequence #5: Remediation Costs
You’re also going to have internal remediation costs: costs to investigate what happened, improve your security posture, fire and hire employees … whatever it takes to fix your internal information security environment.
Consequence #6: Lost Revenue
Let’s face it – bad news travels fast. As soon as people know your data has been hacked, compromised, or otherwise messed with, your customers will be leaving trails of dust behind them in their effort to get far away from you. Target’s profits dropped $440 million in the fiscal fourth quarter following their hack fiasco. As a consumer, I have not stepped foot inside a Target TGT -0.23% store since the story broke.
Consequence #7: Damaged Reputation
If you Google GOOGL -0.97% “Neiman Marcus hack,” you’ll get over half a million results … none of which enhance the store’s general reputation and standing with their target market. Here are some of the choicer headlines Google returned to me today:
- 1.1 Million Cards Compromised in Neiman Marcus Hack
- Neiman Marcus missed 60,000 alerts about card hack
- Neiman Marcus hack reportedly went undetected for month
Damage on this scale can never be “fixed,” as such. At best, it can be ameliorated with countless hours of reputation management, marketing, and PR.
You can see how the total costs of a data breach can easily reach into the millions. For big companies, the figure could top $1 billion over time. With consequences like these, you don’t want to risk a PCI compliance failure.
So what do you do? The wisest course of action for most organizations – whether small or large – is to work with a quality security advisory (QSA) partner such as Sungard Availability Services. A QSA knows the entire PCI playbook, can deliver cloud and physical environments that have PCI compliant infrastructures, and can monitor your transactions 24/7.
Remember: nothing is worth the risk of getting hacked. I just had to close my credit card account and open a new one. Your entire business is on the line.