Surprised businessman reads statement

Is your merchant services provider charging you additional fees for PCI compliance each month?

How closely do you read your bank and merchant services statements each month? Do you ever see fees for PCI compliance? If you’re not performing annual PCI self-audits or contracting a PCI compliance expert to certify that your POS system is PCI DSS compliant, you could be paying significant non-compliance fees from your merchant services provider each month.

But paying additional monthly fees to your merchant services provider is just the tip of the iceberg. If your POS system has access to payment card data and you are ever found to be the source of fraudulently used credit card data, you could be in line for massive financial penalties.

In this week’s Blog post we’re discussing one of the retail industry’s most controversial topics: PCI DSS compliance and what it means to you, the independent retailer.

What exactly is “PCI DSS Compliance”?

In 2018 alone, more than 6,500 data breaches were reported according to a report from Risk Based Security. While this statistic includes breaches of all kinds, a great many of them were perpetrated on retailers and were specifically targeting credit card data. At one time, the credit card companies would bear the cost of credit card fraud; when card theft was largely due to sloppy card handling practices by retail cashiers. But as computerized POS systems became more and more prevalent in the industry, it became clear that hackers were gaining easy access to the data of thousands, even millions, of credit cards. That’s why the Payment Card Industry Data Security Standard, or PCI DSS for short, was created.

In terms of your retail business, the PCI DSS is a series of technology rules that define how your POS system needs to be architected and deployed in order to eliminate or minimize the possibility that your system could be hacked. It also includes recommendations for what cashiers and sales reps should do to make sure they are not inadvertently putting your customers’ credit and debit cards at risk.

If you take a skeptical view of the PCI DSS, you could say that it’s the credit card companies’ way of transferring the burden of credit card fraud onto the merchant; rather than bearing it themselves as they used to do prior to the PCI DSS being published. But we think that it’s better to view it in a more holistic way. By following the PCI DSS guidelines, you’ll minimize the risk that your customers’ card data could be stolen by hackers – and you’ll become part of an industry-wide movement to protect all retail consumers from card data theft.

Don’t risk customer confidence in your business

Your clients trust you with their card data as they make transactions in your business. Should you get breached, you’re not the only one that suffers. Your clients’ card data needs to be protected by your business. Would you go to a business if you knew it was likely that your credit card information would get stolen? Probably not.

Customer confidence can really affect whether your fiscal year is profitable or not. People are less likely to visit your store if they don’t feel confident that you’re keeping their data safe. Two-thirds of US adults surveyed said that they wouldn’t return to a business after a data breach. So if you ever get breached, or if your customers aren’t confident in your security, your revenue could be severely impacted.

Oh, and don’t labor under the misconception that your business is too small for hackers to bother with. According to a survey by Verizon, 61% of data breaches affect small businesses. So getting PCI DSS compliant and promoting that to your customers shows them that you are serious about security and you’re taking every precaution to keep their payment data safe. It gives them (and you) peace of mind.

What are the tangible costs of a data breach?

If you do fail to protect your customer’s data, you are opening your business to all kinds of fines and lawsuits, especially if you falsely claim that your business is secure. A good example is the Wyndham Hotel fiasco. After they were breached three times, Wyndham Hotel was sued by the Federal Trade Commission because they had falsely claimed that they were secure after each breach. This lawsuit ended in a settlement, but it shows what repercussions you could have in the event of a data breach.

And who can forget the TJX Companies (TJ Maxx, Marshalls) data breach of 2006, when the data for 94 million cards was stolen. Consumer Affairs reported that the company ended up paying $41 million to Visa, $24 million to MasterCard and another $9.75 million in consumer protection settlements to 41 States.

After a data breach, businesses can face multiple types of financial penalties, including:

  • Merchant processor compromise fines: $5,000 – $50,000
  • Forensic investigation: $12,000 – $100,000+
  • Onsite QSA assessments following the breach: $20,000 – $100,000
  • Free credit monitoring for affected individuals: $10-$30/card
  • Card re-issuance penalties: $3 – $10 per card
  • Breach notification costs: $2,000 – $5,000+
  • Technology repairs: $2,000 – $10,000+
  • Increase in monthly card processing fees
  • Legal fees
  • Civil judgments

Furthermore, you need to also consider the cost of damage to the reputation of your brand. After a breach, many businesses have documented losing up to 40% of their revenue from customers losing confidence in their brand. That’s a cost that you may have to deal with even years after the breach.

Protect your business and your customers

Every PCI DSS requirement is there because a breach could have been prevented by having that security and control in place. Take the extra time and money to make sure your business is complying with the PCI DSS standard. By doing so, you’re protecting your business, your employees, your clients, and your brand. You may even end up paying lower fees to your merchant services provider.

For more information on PCI DSS compliance, and how to make sure you are compliant, contact your merchant services provider. If you want to know more about the specific guidelines, check out the PCI Security Standards website at