Get PCI Compliance Right the First Time

October 19, 2018 • Published Categories PCI 101Tags ,

The co-owner of three restaurants in coastal Georgia, Carla had just upgraded her old POS system to far more current technology. A driving force behind the upgrade was Carla’s belief that it would make her business PCI compliant. She would get PCI compliance right, she thought, because her restaurants were using the latest and greatest payment technology.

Carla asked PCI-related questions during the purchasing and implementation process, but only at a high level. After all, she was no IT expert. She assumed that the system met her business’s data security needs, and she began using it with confidence.

Making assumptions causes blind spots.

Unfortunately for Carla, someone hacked the POS system just months after the new equipment went in. Now she had a data breach to deal with.

What did Carla miss? For one, she didn’t have a basic understanding of where her customers’ credit card data was going once it entered the POS. Turns out the data was being stored on her system’s hard drive. She also didn’t update the administrative password to the system, which is basically like leaving the key in the lock.

The biggest assumption Carla made, however, was that PCI compliance would be done for her. In other words, she would “get PCI compliance” through her technology. While it’s true that you are far better off utilizing PCI-compliant technologies and service providers, your business still must take additional steps to ensure its overall compliance.

Better safe than sorry.

It took Carla nearly a year to return her restaurant group to normal business operations following the data breach. When all was said and done, $80,000 had been lost to bank, forensics and attorney fees alone.

It will always cost a business far less to put the right security and compliance measures in place to begin with, rather than suffer the financial consequences of a data breach because they cut corners. In fact, the 2018 Ponemon Cost of Data Breach Study notes that the average total cost of a data breach increased by 6.4% in the last year alone.

Here are some additional data points from the Ponemon study:

  • Scary Scope: The current average cost of a data breach is $148 per lost record. According to the 2018 study, the average number of records lost in a 2017 breach was 31,645. While your small business may not run customer payments at that scale, consider that a breach of a mere 1,000 records at $150 per record equals $150,000. Are you ready for that?
  • Time Definitely Equals Money: The mean time to identify a breach was 197 days, and it took an additional 69 days (mean time) to contain it. Companies whose breaches were identified in under 100 days, and contained within 30 days, saved more than $2 million ($1 million in each phase) over those that didn’t.
  • Recurring Nightmare: As if the initial breach isn’t bad enough, organizations that still don’t get PCI compliance and overall security right following a breach are 28% more likely to suffer another breach within two years.

What’s Carla’s advice to other small business owners? “Just make sure you’re not storing data anywhere, and make sure that your system is secure, whatever you have to do to do that.”

Getting your business PCI compliant doesn’t have to be difficult and costly. Click here to let us know how we can help you do it right the first time.