Risks for businesses falling short on PCI DSS compliance

Out-Law News | 15 Nov 2019 | 9:34 am | 1 min. read

Businesses that fail to comply with the Payment Card Industry Data Security Standard (PCI DSS) risk heavy fines from regulators and being the target of group litigation from consumers, an expert in payments and technology law has said.

Angus McFadyen of Pinsent Masons, the law firm behind Out-Law, was commenting after a study carried out by Verizon found that just 36.7% of organisations were in full compliance with PCI DSS last year, down from 52.5% in 2017 and a high watermark, over the nine years Verizon has been conducting the study, of 55.4% in 2016.

"Organisations might be spending a lot of time and money creating data protection compliance programs (DPCPs), but many can be ineffective and fail to advance beyond programs that look good on paper but do not withstand the scrutiny of a professional security assessment," Verizon said in its 2019 payment security report. "Such DPCPs lack the design, implementation, review processes and revisions to be both effective and sustainable."

The PCI DSS framework requires retailers, banks and other companies involved in processing credit and debit card payments to implement a series of measures to ensure payment card data is kept secure both during and after transactions.

According to Verizon, many organisations are struggling to meet the requirements the PCI DSS framework sets on maintaining "effective vulnerability management, software development and change processes" and in relation to security testing requirements too.

Compliance among businesses in the Asia Pacific region is better than those based in the Americas or in Europe, the Middle East and Africa (EMEA), Verizon said. It also said that compliance is poorest in the retail and hospitality sectors, but that finance businesses typically perform better in this respect.

McFadyen said the statistics are "worrying".

"Across Europe the GDPR was implemented over a year ago and that confirmed the principles around, and the importance of, security measures," McFadyen said. "Whilst in Europe PCI DSS isn’t enshrined in law, non-compliance with PCI DSS has been cited by regulators in a number of high profile breaches as equating to non-compliance with data protection law. So businesses that are non-compliant put themselves at risk not only of fines and heightened charges and risk under their card processing arrangements, but also of GDPR-level fines from regulators and class action from individuals."

"This is an issue that will expand globally as more countries move to GDPR-modelled data protection laws," he said.