The Good, the Bad and the Ugly of PCI Compliance; why it's Essential and what you can do to Prevent Falling Victim
Payment Card Industry Data Security Standards (PCI DSS) are for the set of standards companies must meet if they accept credit card transactions. Securing data through PCI compliance is crucial. But achieving and maintaining PCI compliance isn’t easy, particularly for businesses without a dedicated security team.
Compliance is set as a number of ‘levels’ and these are based on the number of transactions that you handle over a 12-month period.
Mandated by the Payment Card Industry Standards Council, PCI compliance is there to help protect your customer’s data against credit card fraud. It’s a vital aspect of business if you’re a company that accepts card payments over the phone.
You don’t want to find yourself involved in a showdown with faceless hackers that are trying to bring down your business. And this is why you need to consider the good, the bad and the ugly of PCI compliance.
When it goes wrong: the bad
PCI compliance isn’t just a worry for small to medium sized businesses, it’s one for the big players too. Large companies like British Airways, Dixons Carphone, Ticketmaster and HSBC have all fallen victim to a breach. So, what went wrong?
The British Airways breach is claimed to have been caused by modified scripts on payment forms on BA’s website that delivered the payment information to an attached-controlled server whilst maintaining functionality to avoid detection. Yes, PCI doesn’t just effect you over the phone, but on the web as well. With the increase in online shopping, caution is advised to companies who don’t want to fall victim like BA did.
In the case of Dixons Carphone, it confirmed that 105,000 customer’s payment card details had been compromised. Due to the fact they didn’t have chip and pin protection, many experts have summarised that the company’s defences fell a long way short of best practice. The incident occurred after the EU’s General Data Protection Regulation (GDPR) was put in place, so it’s looking like Dixons will face the hefty fine and much more (the ugly).
For Ticketmaster, it was a single piece of JavaScript that lead to 40,000 people’s details being accessed by a criminal hacker. Data including names, addresses, email addresses and telephone numbers, Ticketmaster login details and payment card information.
HSBC experienced a data breach in their outsourced abroad contact centre. The card details from 16 of the bank’s UK customers were supplied to fraudsters, who then went on to steal £230,000.
There are many lessons to be learnt from mistakes other companies have made. Particularly with ensuring that there is enough security around your payment forms and phone payments in the contact centre. It doesn’t pay to be complacent (but you will).
Business consequences: the ugly
It’s bad enough when the breach occurs. But the consequences afterwards is what really will make your stomach do somersaults.
GDPR & hefty fines
With GDPR in full force now, the bar is set high for managing breaches like credit card fraud. Infringement of GDPR can result in administrative fines of up to 4% of global annual turnover, or €20 million, whichever is the greater number. Once you’ve experience a breach, the clock is ticking. The breach must be reported to your supervisory authority (the ICO in the UK), within 72 hours of discovering a data breach.
Not all infringement of GDPR leads to a fine however, there’s the scope to take a range of other actions such as:
- Issue warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction or erasure of data
- Suspending data transfers to third countries
Even if you do get off lightly, it’s just not worth the risk of a more lenient sentence. The key is prevention and not cure when it comes to data breaches, PCI compliance is prevention in the case of credit card fraud.
Loss of trust amongst customers
The biggest concern when a data breach occurs is the reaction from the customers. Money is easier to get back than reputation. Remember that saying about trust being like a mirror? They weren’t wrong there. After a data breach your customers’ trust is shattered. Why would they trust a company that cannot keep their personal data safe?
You don’t want to earn a reputation for cost-cutting, like BA, who are still feeling the effects of their hacks. Data breach preventions like PCI compliance are better invested in properly to ensure the risk is reduced as much as possible.
Other intangible consequences
Reputation isn’t the only intangible consequence to a data breach. Your business credit score will be affected as well. Making it more of a challenge to obtain credit, since this is something that’s entirely based on risk.
There’s also the risk that a data breach poses to your trade secrets and intellectual property. In the UK, 20% of businesses admit they have experienced a data breach, which has resulted in material loss.
Experiencing a breach makes you vulnerable. After experiencing a breach you open yourself up to other hackers and increase the likelihood that you will be targeted. Infrastructure is essential when it comes to PCI compliance, you must show no weakness.
Prevention solutions: the good
The good news is, there are many fantastic solutions out there that will help make you PCI compliance, and partners to help you implement and manage them. Recently we’ve helped one of the UK’s leading automotive glass distributors meet their PCI compliance requirements.
First implementing ComputerTel PCI call recording. A technology that automatically pauses the call & screen recordings, whilst your agents process the payments. This technology can be customised to your businesses requirements and as PCI compliance evolves and changes over time.
The next level of security with our PCI compliance solution, ensures that the agent cannot record the card details, because they bypass the agent. Atmoso ensures that the Dual Tone Multiple Frequency (DTMF) tones are masked on call recordings. So it’s impossible to work out card details from the tone of the buttons that are pressed when your customer is inputting their details.