Call us on 03450 21 21 51

SRM Solutions
The SRM Blog

The Importance of Sustaining PCI DSS Compliance

Written by SRM

18th March 2015

Share this article

In 2015, the good news is that businesses are getting better at achieving full PCI compliance. In fact, fully compliant organisations rose from 11.1% in 2013 to 20% by the end of 2014(1). The challenge going forward, however, is not in achieving this standard but in sustaining it.

As the PCI Security Standards Council states: “PCI DSS compliance is an ongoing process, not a one-off event.”

Formed in 2006, when the major players in the credit card business (Visa, Mastercard, American Express, Discover and JCB) came together to reduce credit card data loss, the Payment Card Industry Security Standards Council was created and that council established a standard for the security of cardholder data: the PCI Data Security Standard (PCI DSS) was born.

In spite of the uplift in full compliance in the last twelve months, this means that 80% of organisations are not meeting 90% of all sub-controls and testing procedures within the PCI DSS. And, if there is a breach, penalties for falling below the standard are severe.

Failure to meet compliance standards, resulting in compromise of systems, can lead to fines from credit card companies and banks. At worst, it can even lead to the removal of the facility to process payment cards and penalties from £3,500 to £350,000. Hard to stomach though they may be, these potential fines are not even the worst of it: non-compliance can ultimately result in the complete collapse of a business.

If, however, a merchant can be deemed to have been compliant at the point at which a compromise occurred, and full compliance can be demonstrated during forensic investigation, the potential fines from the card brands may be waived.

The crucial message to all UK companies, big and small, is to keep PCI DSS compliance at the forefront of their business strategies. It is not sufficient to achieve full compliance in 2015, but to ensure that the same levels are achieved in subsequent years as well. The only protection against potential heavy penalties is to demonstrate this fact year on year.

(1) Verizon 2015 Report