As a general rule, all businesses that store and process credit and debit card information are required to comply with the Payment Card Industry Data Security Standard (PCI DSS) to keep their customers’ data safe. However, because most small and medium sized merchants process relatively few credit cards, they often wonder whether it’s strictly necessary to abide, and what would happen if they feign ignorance. But as statistics show, this tier of enterprises is the most vulnerable to cybercrime, accounting for more than 70 percent of all hacker activity in the business world.
So, if you’ve been asking yourself what you might be risking by not being PCI compliant, here are seven dire consequences you can expect.
Credit card companies charge non-compliant merchants heavily, depending on the volume of sales, the level of PCI DSS on which you’re required to be, and the amount of time you’ve been non-compliant. Moreover, if a customer’s credit card is used to make fraudulent purchases, the expenses that your bank or payment processor will incur when reimbursing the victim will be transmitted to your business as fines.
2. Legal Action
Identify theft victims often file lawsuits against merchants who put their data at risk, and businesses that lose these cases end up paying millions to settle. Even if you win, you’ll still have legal fees to clear, not to mention the work hours you’ll spend fighting in court instead of running your business.
3. Federal Audits
It is the job of the Federal Trade Commission to monitor organizations that fail to comply with PCI standards. If a data breach occurs and the investigations reveal you were non-compliant, the FTC may want to audit your business regularly going forward. Federal audits come with very strict requirements for compliance, and hefty fines for those who fail to comply.
4. Forensic Costs
After a cybercrime incident, it will be up to you to find out what happened and the preventive measures to take. Forensic examinations can amount to thousands of dollars, and you’ll be entirely liable for them if evidence of a compromise or non-compliance is uncovered.
5. Compensation Costs
If you don’t comply with PCI standards, you’ll probably have to reassure your clients with free compensation in the form of credit card monitoring, identity theft insurance or both. Your customers won’t pay for these services, but you will.
6. Damaged Reputation
In addition to heavy costs, putting your customers’ bank account information at risk can result in irreversible damage to your reputation. A serious attack can compromise the trust that your clients have in you, and you will require countless resources in PR management, rebranding, and marketing to get back on their good side. If your business collects sensitive payment information, particularly over the phone, go to https://ivrnet.com/over-the-phone-credit-card-fraud-pci-compliance-guide-for-business-and-government and learn how to safeguard your reputation by remaining compliant with security standards.
7. Revenue Loss
A negative impact to your reputation can drastically decrease your revenue. Bad news travels fast, and as soon as word gets out that your data has been compromised, customers will want to get as far away from you as possible. It’s therefore not surprising that 60 percent of SMEs that suffer data breaches close shop within just six months after the incident.
Many small- and medium-sized enterprises do not realize the risks that come with ignoring PCI standards until it’s too late. With consequences like the ones above, you wouldn’t want to risk non-compliance.