Contractual and regulatory compliance in payments and personal data is not an insignificant task and is something that entities may often mistakenly view as a tiresome and costly burden.
The Payment Card Industry Data Security Standard (PCI DSS) is the result of regulatory compliance (Sarbanes Oxley) being placed on the payment card schemes to manage their risk . PCI DSS compliance is a contractual obligation, generally between a Merchant and their Acquiring Bank and applies to ALL entities that store, process and or transmit payment card data irrespective of the volume of payments processed. PCI DSS also applies to Third Party Service Providers, who support entities who may have outsourced the payment handling process. Outsourcing does not release an entity from their obligation to be certified as compliant. New guidelines detailing how the current version (3.20) applies to securing telephone payments is due to be published by the PCI Standards Security Council (PCI SSC) later this year.
The UK Data Protection Act is due to be repealed on the 25th May 2018 and replaced by the General Data Protection Regulation (GDPR). GDPR will be a regulatory requirement that applies to ALL entities trading with Europe as well as entities within EU Member Nations. The GDPR puts ownership of personal data firmly with the Data Subject and proof of compliance with the Data Controller. Adopting many existing principles from existing EU Member Nations, GDPR will have a significant impact on the UK direct marketing industry given 25 plus years of self-regulation. Whilst much more is still to be published about how GDPR will be implemented, it is expected that the role of Supervisory Authority in the UK will be the joint responsibility of the Information Commissioners Office (ICO) and Financial Conduct Authority (FCA). With the clock ticking towards full UK legal adoption, preparation is key.
The penalties for non-compliance can be harsh promoting a need to revise positioning towards being a guide for good corporate governance, protecting shareholder value.
The PCI Standards Security Council (PCI SSC) emphasize ‘security’ whilst the Card Schemes themselves focus fines on cost recovery, seeking only to recover costs in the event of payment card data being compromised by an entity that is found to be not PCI DSS certified or not compliant at the time that the breach occurred. Costs from VISA alone are up to €18.00 per card compromised. The ultimate sanction for entities experiencing a breach in the context of continually failing to meet the requirements of the Standard is a 90 day notification to meet the PCI DSS compliance obligations or face payment card processing facilities being withdrawn. For all business entities, such risks should be logged and properly documented within their prevailing corporate governance obligations.
The law governing non-compliance of the GDPR is equally harsh, with fines up to €20M or 4% of global turnover, whichever is the greater. The Regulation puts full reporting responsibility with the Data Controller with higher levels of reporting and governance required for entities with more than 250 employees.
The true cost of a data breach is not the impact of non-compliance, it’s the potential response of customers and their future purchasing behaviour impacting directly on the top and bottom line.
The ability to establish an ongoing business case to support an entities cyber security requirements is fundamental to maintaining brand values and delivering shareholder value. Since starting the company in June 2014, Compliance3 has invested in ongoing research into consumer response to data breach. Please contact us to receive copies of our latest round of research and our white paper.