The price of PCI non-compliance in a post-GDPR world

Posted by Chris Scott

Despite monetary penalties being long-established for non-compliance with PCI DSS, it is only in the eight months following the introduction of the General Data Protection Regulation (GDPR) that businesses have truly started to pay attention to the potential cost of inadequate data security.

Although GDPR was brought in to properly safeguard the collection and processing of sensitive personal information as a whole, and PCI DSS was specifically designed to protect payment card data, there is some cross-over that it is important to recognise.

With payment card data falling under personally identifiable information (PII), any breach involving this type of data will now not only contravene PCI DSS requirements, but could also result in companies being given a potentially devastating fine from the Information Commissioner’s Office (ICO) under GDPR.

The fast-paced evolution of the payment industry, and the technology it is built on, is making it increasingly difficult for organisations that collect, store and process payment card data to achieve compliance. It is therefore more important than ever to understand PCI DSS and its relationship with GDPR in order to avoid having to face the music for security negligence.

The cost of non-compliance

We recently analysed all non-marketing-related ICO fines issued between 2015 and 2018 involving breached financial information, to highlight the importance of compliance with PCI DSS now that GDPR is in force.

Overall, this research revealed that these fines could have risen from £1.74 million to nearly £889 million under GDPR.

In one case, an organisation was fined £400,000 for simply neglecting to update its database software – this could have very easily equated to a cumbersome £71.3 million under current regulations.

Another saw hackers exploiting a vulnerability that went unnoticed, resulting in a £500,000 bill – the highest fine that could be issued by the ICO at the time, which could now equate to £102 million when taking the company’s global turnover into consideration.

These fines resulted in both a financial and reputational hit for the companies involved and, what’s worse, implementing a few simple security measures could’ve prevented many of these breaches in the first place.

The bigger picture

As data security remains centre stage, it’s clear that basic security measures are still being missed. Businesses therefore need to place a renewed focus on creating robust security defences that cover the right areas – and complying with PCI DSS is a vital avenue to follow for those that handle cardholder data.

Maintaining continuous compliance with PCI DSS can be a complex process, but putting the necessary measures in place will not only safeguard your customers and your reputation, it can also result in other dividends for your organisation.

Since the requirements of PCI DSS offer an end-to-end approach to keeping information safe and cover people, processes and technology, its principles can be applied to a wide range of different data sets.

Embedding these technical controls into your business can therefore hugely improve the security of all types of data across your organisation, helping to lay the necessary foundations needed to comply with GDPR and other compliance mandates.

But PCI DSS and implementing robust security measures are problem areas that businesses are still struggling to tackle, often because they try to go it alone.

Our PCI DSS experts at The Bunker know the standard inside out, and can work with your business to help you understand how to satisfy each requirement, while enhancing overall security to meet further regulations.

Download our whitepaper here to find out more about the penalties you could face and what you can do to make your PCI DSS compliance journey as smooth as possible.