As a PCI QSA, it is very common for clients at the beginning of their compliance journey to ask me why they should comply with PCI DSS. If there is no pressure from compliance reporting entities or customers to achieve compliance, you may wonder why you should spend time and money without a clear benefit for your organisation.
However, if you are not currently PCI DSS compliant, here are several reasons you should consider achieving compliance.
Reasons for Merchants to Comply with PCI DSS
Merchant Agreements
If your organisation signs up for a merchant account from an acquirer, you must complete contractual documentation such as contracts, security clauses, schedules, etc. Often, there is a clause within one of those legally binding documents which states that you (the merchant) must ensure and/ or demonstrate that the payment mechanism used to process credit/ debit card payments into the merchant account is done so in accordance with the relevant PCI DSS requirements. Failure to comply with this clause is likely to result in a contractual breach with your acquirer.
An Acquirer Forces Your Hand
As a merchant, if you move your business from one acquirer to another, the new acquirer often requires that you demonstrate PCI DSS compliance for the merchant account(s) within 12-months of transferring payments to the new acquirer. I have heard of acquirers providing advance notice of this requirement to merchants prior to the migration of payments.
This allows merchants suitable time to complete any de-scoping or remedial activities before formally reporting PCI DSS compliance. At the other end of the spectrum, some merchants are only made aware of this requirement during the acquirer’s annual compliance reporting notification.
Potentially Unknown Impact Because of an Incident
During the early stages of a merchant’s compliance journey, the cardholder data flows are often defined informally or are sometimes unknown. The situation is often the same in terms of understanding the technology that would form the scope of the Cardholder Data Environment (CDE).
If this describes your organisation, in the event of an incident, you are likely to experience additional complexity in determining if there has been any impact to cardholder data or system components that form the CDE. You can’t successfully manage the consequences of unknown impacts unless there is clarity of what people, processes, and technology form the CDE.
Proactive Activities are Always Cheaper Than Remedial
In the worst-case scenario, you experience a cardholder data breach that requires a PCI Forensic Investigator (PFI), you may be forced to undertake remedial activities. At this point, you will not only need to implement the remedial activities following the PFI investigation, but you are likely to be subject to the most stringent of assessments, as well as to pay for the cost of the PFI investigation itself. (Yes, you read that correctly!)
Monthly Non-Compliance Fines or Increased Transaction Processing Fees
Acquirers often issue a monthly non-compliance fee or apply increased transaction processing fees when merchants are not reporting PCI DSS compliance. Organisations may have already implemented robust de-scoping controls to minimise the scope of their CDE to the smallest number of people, processes, and people, and lowest number of PCI DSS requirements.
In this scenario, merchants simply need to validate that the relevant requirements are implemented and complete the corresponding PCI DSS compliance reporting template. A QSA may be required to complete the assessment/ reporting template depending on the merchant’s annual transaction volumes, or if the acquirer has specifically requested a QSA assessment.
Reasons for Service Providers to Comply with PCI DSS
The next points are primarily aimed at service providers. This applies to organisations that don’t own the merchant accounts payments are made into but provide services as part of a customer’s payment channel(s) or that could impact the security of cardholder data if compromised.
3rd Party Due Diligence Processes
Organisations across all sectors and geographies are maturing their Third-Party Risk Management (TPRM) processes in response to regulatory requirements and in line with industry best practice. At the same time, organisations that aren’t maturing their TPRM processes have downstream entities and suppliers which are often caught in the net of said organisations TPRM processes during periodic due diligence reviews.
If you are supporting merchants processing cardholder data, or could impact the security of cardholder data, you are likely to be requested to demonstrate that your services are PCI DSS compliant or absorb the commercial cost of being included in each merchant entities assessment.
Competitive Disadvantage
As part of request for information/ tender, invitations to tender, and bids, it is common practice for the requestor to ask for a copy of your Attestation of Compliance (AoC) to demonstrate that you have been self-assessed or independently assessed by a QSA as meeting the relevant PCI DSS requirements.
Without an AoC, your services will need to either be included as part of the merchant’s PCI DSS assessment activities, or you may be asked to self-assess or have your services independently assessed by a QSA (annual transaction volume dependant) which adds complexity and potential costs compared to proactively achieving PCI DSS compliance.
Key Takeaways
Whilst you may not be chased to report PCI DSS compliance from your compliance reporting entity or from your customers, there may be other external parties interested in your compliance position.
The cost, time, effort, and general stress associated with achieving compliance as a result of external drivers (customer requirement as part of due diligence, last minute compliance reporting requirements from acquirers, etc) could be far greater than any proactive, well-planned and budgeted compliance projects/workstreams.
You may already be paying non-compliance fines or increased transaction processing fees that are higher than what the cost of validating and reporting PCI DSS compliance would be.
You can’t assure stakeholders that you have adequate and robust controls to protect cardholder data if you don’t know where it is stored, processed, or transmitted, and you haven’t sought assurance from those entities completing these activities on your behalf or that could otherwise impact cardholder data security.