An estimated £618m was lost to payment card fraud on UK-issued cards during 2016 – a 9% increase on 2015 figures.
Taking steps to meet Payment Card Industry Data Security Standards (PCI DSS) is the best way to reduce the risk of card data loss in your business. But as is the case for non-compliance, the costs of meeting these Standards can quickly add up.
In this article, we outline:
- some of the costs involved in becoming PCI DSS compliant (and implementing a suitably secure infrastructure)
- the potential penalties for failing to take action
- how you might be able to meet your obligations more affordably.
What is PCI DSS, and does it apply to me?
The PCI Data Security Standards were established by Visa and Mastercard in 2004, and have subsequently been adopted by other card issuers including Amex, JCB, Diners Club and Discover. Their purpose is to prevent card data held by merchants and third parties from being used fraudulently.
If your business accepts or processes payment card data, it must adhere to PCI DSS.
The Standards focus on six key goals, each of which has specific requirements related to it. They are:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
The costs involved
Although merchants and third parties have been obliged to comply with PCI DSS for almost 10 years (the original compliance deadline was 30 June 2008), evidence suggests many are failing to meet their obligations.
If you are among the many organisations yet to fully embrace the demands of PCI DSS compliance, the costs you’re likely to face will vary depending on:
- your existing security standards
- your in-house IT support resourcing
- the size and profile of your organisation
- and the volume of transactions it handles
However, based on our own experience, here are some estimated figures for contact centres of various sizes:
25-seat contact centre
Approx. £54,630 (+ £21,735 annual costs)
| Capital expenditure | Annual cost (subsequent years) | Minimum resource days cost (one-off)* | Minimum resource days cost (annual)* | |
| Build and Maintain a Secure Network and Systems | £1,400 | £550 | £360 | £1,530 |
| Protect Cardholder Data | £10,000 | £2,000 | £1,800 | £900 |
| Maintain a Vulnerability Management Program | £200 | £100 | n/a | £6,912 |
| Implement Strong Access Control Measures | £17,600 | £500 | n/a | £3,870 |
| Regularly Monitor and Test Networks | £22,370 | £3,033 | £900 | £1,440 |
| Maintain an Information Security Policy | n/a | n/a | n/a | £900 |
| TOTAL | £51,570 | £6,183 | £3,060 | £15,552 |
50-seat contact centre
Approx. £57,530 (+ £23,287 annual costs)
| Capital expenditure | Annual cost (subsequent years) | Minimum resource days cost (one-off)* | Minimum resource days cost (annual)* | |
| Build and Maintain a Secure Network and Systems | £2,800 | £1,100 | £360 | £1,800 |
| Protect Cardholder Data | £10,000 | £2,000 | £1,800 | £900 |
| Maintain a Vulnerability Management Program | £400 | £200 | n/a | £7,344 |
| Implement Strong Access Control Measures | £17,600 | £500 | n/a | £3,870 |
| Regularly Monitor and Test Networks | £23,670 | £3,233 | £900 | £1,440 |
| Maintain an Information Security Policy | n/a | n/a | n/a | £900 |
| TOTAL | £54,470 | £7,033 | £3,060 | £16,254 |
100-seat contact centre
Approx. £63,330 (+ £26,391 annual costs)
| Capital expenditure | Annual cost (subsequent years) | Minimum resource days cost (one-off)* | Minimum resource days cost (annual)* | |
| Build and Maintain a Secure Network and Systems | £5,600 | £2,200 | £360 | £2,340 |
| Protect Cardholder Data | £10,000 | £2,000 | £1,800 | £900 |
| Maintain a Vulnerability Management Program | £800 | £400 | n/a | £8,208 |
| Implement Strong Access Control Measures | £17,600 | £500 | n/a | £3,870 |
| Regularly Monitor and Test Networks | £26,270 | £3,633 | £900 | £1,440 |
| Maintain an Information Security Policy | n/a | n/a | n/a | £900 |
| TOTAL | £60,270 | £8,733 | £3,060 | £17,658 |
200-seat contact centre
Approx. £74,930 (+ £32,599 annual costs)
| Capital expenditure | Annual cost (subsequent years) | Minimum resource days cost (one-off)* | Minimum resource days cost (annual)* | |
| Build and Maintain a Secure Network and Systems | £11,200 | £4,400 | £360 | £3,420 |
| Protect Cardholder Data | £10,000 | £2,000 | £1,800 | £900 |
| Maintain a Vulnerability Management Program | £1,600 | £800 | n/a | £9,936 |
| Implement Strong Access Control Measures | £17,600 | £500 | n/a | £3,870 |
| Regularly Monitor and Test Networks | £31,470 | £4,433 | £900 | £1,440 |
| Maintain an Information Security Policy | n/a | n/a | n/a | £900 |
| TOTAL | £71,870 | £12,133 | £3,060 | £20,466 |
* Calculated based on estimated daily employer cost of £180 for an SME IT Manager (outsourced IT contractor cost is likely to be significantly higher)
What’s the risk of non-compliance?
It can certainly be costly to achieve the required standards – especially if you’re at the very early stages of building a PCI DSS compliant operation.
However, the potential cost of non-compliance could be far greater.
Visa and MasterCard have increased their fines significantly
Visa and Mastercard both levy Account Data Compromise Fines (ADC fines) against merchants or third parties where non-compliance is proven. Both companies increased their ADC fines for card data loss during 2016.
To illustrate the scale of the increase, Barclaycard showed that the data loss of card and CVV numbers for 46,706 Visa and 28,336 MasterCard customers would have amounted to £35,000 in penalties under the previous penalty structure. Following the recent increase, the penalty would increase almost four-fold, to more than £134,000.
Additional operational costs
Aside from card issuer fines, the operational costs associated with a payment card data breach might include:
- forensic investigation costs
- business insurance premiums
- reputational damage (resulting in customer attrition)
- business recovery costs
- introduction of enhanced security measures
Loss of revenue
Non-compliance can also result in your business having card payment facilities suspended, with potentially disastrous consequences for your business model and revenue streams.
And don’t forget GDPR
Even in the unlikely event your business could absorb the above, the fines being introduced as a result of new EU legislation could prove terminal.
The General Data Protection Regulation (also known as GDPR) takes effect in May 2018, bringing with it unprecedented fines for serious data protection failures. These could lead to fines of up to €20 million or 4% of global annual turnover – whichever is greater.
Both sound expensive! What’s the alternative?
Many organisations are beginning to realise that outsourcing their customer contact operations may be part of the answer.
Third-party customer contact providers, like WeAnswer, offer PCI DSS compliant services as standard – and have done for a number of years.
Working with an outsourced provider will not only save you from an expensive implementation of the required standards, but also the significant ongoing cost of maintaining and enhancing your security over time.
For example, regular revisions are made to the PCI Data Security Standards (the latest revision, v3.2, took effect in May 2016), each of which is likely to increase the demands on your business.
Outsourced providers are likely to be among the early adopters of these updated standards, meaning your company can meet its obligations more quickly that may otherwise have been possible.
More information
When it comes to protecting your customers’ payment card data, the stakes have never been higher.
If you’re considering outsourcing as an alternative to deploying a fully PC DSS compliant solution, please speak to one of our experts.
Alternatively, visit the following resources for further guidance:
- Barclaycard Help & Support
- PCI Security Standards Council
- The UK Cards Association
