The perils of PCI non-compliance: What you need to know by March 31

Eva Pittas is the president and COO of Thoropass. She has over 20 years of experience in the financial industry.

PCI DSS (Payment Card Industry Data Security Standard) is the compliance framework underpinning a multitude of the digital payments that you and your company likely use every day. This critical data security standard is a minimum requirement to avoid data breaches and protect cardholder data at all times.  Pretty important, I’d say, and yet, beyond the security and compliance experts running point in an organization, most business leaders do not have full appreciation and visibility into this security standard.

Non compliance with PCI DSS could bring significant financial and reputational risks.

Consider these numbers:

• 43.4% of companies were fully PCI DSS compliant (v 3.2.1) in 2020
• Despite being less than half of those surveyed, this number was up from a recent low of 27.9% fully compliant just a year prior
• All the while, contactless mobile payments are expected to hit $1-billion dollars this year, and digital wallet usage will go past $10-trillion by the end of 2025

The news that PCI compliance is going up is, of course, encouraging, especially in light of the eye-popping numbers related to digital payments just around the corner. However, the fact that less than half of reporting businesses are already PCI compliant is troubling. We should be even more aware of potential concerns when reading that of those companies who aren’t fully compliant, only 30.1% use some compensating controls from PCI. In these cases, businesses think doing some of the work is enough..

This perspective is wrong: a business is only covered by PCI DSS when it’s fully compliant with the latest version of the framework and that framework is at the heart of a business’s annual and evolving strategy.

The essentials of PCI

Most CISOs–and especially those in FinTechs–already know about PCI DSS compliance and its centrality in processing, storing, and transmitting data related to digital payments. But with this ubiquity comes blindspots.

Understanding the risks at stake is increasingly important, and is one reason why CISOs must champion PCI DSS compliance as they advocate for its adoption and centrality to every level of their business.

Like almost any compliance framework properly adopted, PCI DSS compliance is not merely a checkbox exercise; it is a strategic approach to fortify defenses against potential breaches. CISOs must recognize that adhering to PCI DSS is not just about following a set of guidelines; it’s a legal and regulatory imperative. Failure to comply can lead to fines, legal actions, and even the revocation of the ability to process credit card transactions. 

Getting ahead of the March 31st deadline

Simply put: now is the time to act.

On March 31, 2024, the previous version of PCI DSS (v 3.2.1) will officially be retired. After that date, PCI DSS v 4.0 represents the most updated version of the important security framework. Companies have one year (up to March 31, 2025) to fully implement PCI DSS v 4.0.

Thoropass has covered the changes to this new version, including highlighting the 64 new requirements that are included. These new requirements are designed to keep pace with the growing demand for digital payments, and the growing risk of breaches and attacks.

Consider again how even PCI-aware companies are often not fully compliant. For example, Requirement 11 of PCI DSS which asks companies “to regularly test security systems and processes” was the least enforced aspect of PCI compliance in 2020, at just 60% of companies.

The new version in April 2024 gives every company the opportunity to reexamine their digital payment compliance and ask if they’re compliant enough in this changing economic environment.

Reasons to act now

There are infinite number of reasons to act now when (re)examining your company’s PCI compliance. Among them, consider:

• Fines for not being compliant range from $5,000-100,000 (or more) per month
• 7 out of 10 consumers would be less likely to do business with an organization who had been breached
• The average data breach costs in 2023 were $9.5-million dollars

Whether you’re motivated by money, trust, or fear, the only way to ensure that your company is prepared to meet the future of our economic reality is to protect your company from unforced errors. The easiest and most accepted way to do so is to get fully compliant in PCI DSS.

Are you compliant?

Are you compliant enough?

Are you sure?

No matter how you answer these questions the most important thing is that you have a response that you’re sure of and that remains the same in March, April, and months to follow.