Welcome to the first installment of our three part series on PCI Compliance and how it relates to marketing. In this particular entry, we’re discussing the foundations of what PCI actually is, and why it has made itself a household term in recent months.
A Long Time Coming
Before the PCI SSC came into being, card brands had individual data protection regulations that merchants complied to. Merchants found this system unsatisfactory and demanded that an industry standard for security regulations be set for all card brands. Thus, the PCI SSC was born.
Visit the PCI DSS wiki page for further details. http://en.wikipedia.org/wiki/Payment_card_industry
The PCI DSS (Payment Card Industry Data Security Standard) was developed by the PCI SSC (Payment Card Industry Security Standards Council) in September of 2006 to create an industry standard for organizations that handle cardholder information. It was created to protect against credit card fraud, to protect customers to give them a safe shopping environment, and ultimately to hold irresponsible business owners liable. A link to the entire standards overview is below.
However, as we’ve seen. This system is not infallible, and there are occasionally breaches which could lead to fines.
What is a Breach?
A breach is considered a breach any time cardholder data is compromised. Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is considered cardholder data. Even if one of the mentioned items gets out, you are going to be held responsible.
If it has been established that you willfully disregarded PCI compliance, the fines can be rather hefty. There are three Merchant Levels your business can fall under depending on the volume of transactions you process every month. These fines are assessed directly by the credit card authorizing entities (Visa, Mastercard, etc). Fines can range from $10,000 to $25,000 for first violations to $200,000 for repeat offenders. These fines are assessed on a “per incidence” basis.
So what are the tangible penalties for businesses that fail to meet the standards of PCI compliance? One only has to look to a recent example to see just what we’re driving at.
We all know it takes years to build trust but it only takes suspicion, not proof, to destroy it. Consumers will always prefer to work with organizations they can trust and know that they have their best interests in mind. As such, the concept of building trust as a marketing advantage shouldn’t be that foreign as a concept. On the web especially, trust is earned very slowly and often the slightest hiccup of your precious work will irrevocably change how your consumers view you. Remember, marketing is all about perception, not reality.
I have seen it time and time again, companies put the bottom line ahead of building trust with their consumers. That is not only an extremely myopic approach to doing business, but also a very dangerous play of cat and mouse with consumers who are becoming more and more technologically advanced. Today, your potential customers are going online to look at reviews, check security certificates, etc.
Enter 2013 when consumer-products conglomerate, Target, is hacked from the inside out. The theft involved confidential credit and debit card data of as many as 40 million Target customers. With Secret Service agents in Minneapolis investigating the extent of the fraud, Javelin Strategy & Research, a web security consulting firm, estimates the total damage to banks and retailers could exceed $18 billion.
Here is the clincher to it all. The entire malware system was allegedly designed by a 17 year old Romanian boy who sold the malware on the black market for $2000. The malware included auto-erasing technology and leveraged proxy servers from around the world to hide the perpetrators where-abouts. In the end, the thieves had collected about 11 gigabytes of data (less than the amount of memory available on an ipad mini) but containing enough data to cover 40 million payment card records, many of which were being sold on the black market to regenerate new credit cards. To date, nearly 70 lawsuits have been filed, many of them asking for class-action status.
Want to read the full-story, visit the NY Times article referenced herein. http://www.nytimes.com/2014/01/18/business/a-sneaky-path-into-target-customers-wallets.html?_r=1
Despite the potentially heavy penalty that Target may receive, there are quite a few advantages that we can take from their example as well as others. To find out how you can take this information and use it to give yourself an edge, read our next installment!