Consequences of not complying with PCI DSS

When the PCI DSS (Payment Card Industry Data Security Standard) was launched back in 2006, it had a clear mission: to unify the requirements that financial institutions requested from businesses for the use of credit and debit cards as payment methods. In this way, companies such as Visa, MasterCard, American Express, Discover, and JCB joined forces to create a standard by which the industry would be governed from then on.

Without a doubt, it was good news for many businesses that used different types of card payments, since they would only need to meet common parameters to comply with the security measures each company required.

Penalties from financial institutions

There is no doubt that the use of payment cards carries a risk—just like any other financial transaction. Many criminals wait for the slightest mistake to attack and make off with a good haul, especially when operations are carried out online. For this reason, financial institutions that issue cards can penalize companies that do not comply with the security standard, that is, PCI DSS. In fact, sometimes fines can amount to thousands of euros. In this regard, you should know that although all companies adhere to PCI DSS, each one has its own penalty table, which you should review when using their cards as payment methods.

Consequences of not complying with PCI DSS

Given all the above, if your business allows the use of credit and debit cards as payment methods, you must comply with the requirements of the PCI DSS standard. To do this, you must obtain certification, as it will indicate that you have taken the necessary security measures to prevent possible attacks.

However, there are companies that decide not to obtain certification. The reasons may vary greatly, but the consequences in the event of a security incident are very clear:

Financial penalties. As mentioned above, fines for not complying with PCI DSS and suffering an attack—with the resulting economic loss and exposure of critical data—vary depending on the magnitude of the incident. The minimum amount is usually 5,000 euros and can reach up to one million euros in extreme cases—fines increase progressively if the issue is not resolved. Without a doubt, this can disrupt any company’s finances and could even lead to closure.
Non-financial penalties. In addition to monetary fines, financial institutions may impose other actions such as contract termination or removal of POS terminals. These measures leave the business without a key payment method, especially for e-commerce.
Poor reputation and loss of customers. Suffering an attack due to lack of required security measures results in a terrible image for the business. This will lead to customer loss, either because they cannot make purchases using payment cards, or due to fear of suffering an attack themselves.
Violation of the law. When an attack occurs, customer data is exposed, meaning there is a violation of the General Data Protection Regulation (GDPR). Therefore, legal actions may be taken against the company.

PCI DSS and data protection

Regarding this last consequence, it should be noted that PCI DSS compliance is closely related to the protection of personal data and, therefore, with the GDPR and the Organic Law on Personal Data Protection and Digital Rights Guarantee (LOPDGDD).

Keep in mind that credit and debit card information includes the personal data of cardholders. Therefore, if a breach occurs, the business will not only face possible individual lawsuits from customers, but may also be sanctioned for failing to comply with the LOPDGDD.

In this case, penalties depend on the level of severity: minor (up to 40,000 euros), serious (from 40,001 to 300,000), and very serious (from 300,001 to 20,000,000 or 4% of annual turnover). Ultimately, complying with the requirements demanded by financial institutions and obtaining PCI DSS certification is not optional and improves the security of financial transactions made with payment cards, preventing possible penalties that could end your business.

If you have any questions or would like to learn more about the PCI DSS certification process, do not hesitate to contact us. At BOTECH we will resolve your questions and assist you in every step you need to take to ensure your business’s security meets the highest standards.