The following is a guest post by Mark Burnette. You can reach him directly here.
The PCI Data Security Standards are a set of rules designed by the credit card brands to enforce card data security. Though these are industry rules rather than laws, they can result in stiff fines and penalties for businesses, and even cost a business the ability to process credit cards. What’s more, these rules impact every business that collects, processes, or transmits card data – from mom and pop shops to retail titans.
So what exactly happens to a business when it’s caught out of compliance?
Fines and penalties
Let’s say your business has suffered a data breach. First, the card brands will go to your acquiring bank (the bank that processes credit card transactions for you) and assess how well the bank has tracked your PCI compliance. Once they’ve ascertained the bank’s level of monitoring and enforcement, they may fine the bank if you were not compliant at the time of the breach, and there will typically be penalties related to the breach as well. And the bank will very likely pass on the fines and penalties to you.
You’ll hear talk of PCI compliance fines, and those fines can range from $5,000 to $100,000 a month, depending on factors like the size of your business and the length and degree of your non-compliance. This fine could be assessed monthly – rising over time – until you’re in compliance. If you still don’t comply, your ability to take credit cards may eventually be revoked.
We should note that the card brands may impose a separate penalty for a data breach, even if you were in compliance with PCI rules when the breach occurred. The card brands don’t publish the amounts of these penalties, but they’ll no doubt be higher for businesses that are not in compliance with PCI rules when they suffer a breach.
What to do
When you experience a data breach, the implications go beyond PCI. 47 out of 50 states have breach notification laws related to personal information, so if anyone’s name and address has been compromised, you likely have a notification obligation even if no credit card numbers were accessed.
After a breach, take responsibility and minimize the impact as much as possible. Tackle the problem head on and try to ensure it doesn’t happen again. Make sure individuals whose data was compromised are protected – this may mean taking out an identity protection policy for affected customers.
To protect yourself as best you can against this situation occurring in the first place, we recommend checking out the PCI Security Standards Council’s web page designated for small and medium businesses. This page provides a good summary of your responsibilities and available resources, helping you better protect your customers and your business.