Is PCI Compliance Required by Law?

by Audrey Oh


Any business or organisation that processes credit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard was introduced in 2004 by a group of the major credit card companies to protect personal data and reduce fraud. Is PCI compliance required by law? No, but non-compliance could have serious consequences, so business owners would be well-advised to treat it as law.

What is PCI DSS?

In 2004, five of the largest credit card companies united to establish the PCI DSS as a means of protecting card issuers from fraud and data breaches. The Payment Card Industry Security Standards Council (PCI SSC) was formed to administer the new standard. PCI DSS sets minimum levels of security for merchants who store, process and transmit cardholder data. There have been several versions of PCI DSS released between 2004 and 2019. The PCI SSC holds the most up-to-date information and guidance.

Do I Need to be PCI Compliant?

In general, any business or organisation that accepts online credit card transactions must achieve PCI DSS compliance. Credit card companies require compliance to increase security and protection against identity theft. 

There are four levels of PCI compliance. The number of transactions conducted by a business annually will dictate the necessary level of compliance. Level 1 is the highest level of compliance required for organisations processing over 6 million transactions per year. Small businesses processing fewer than 20,000 Visa e-commerce transactions per year may only require level 4 compliance. 

What Are the Consequences of Non-Compliance?

Although PCI DSS compliance is not a legal requirement, any organisation it applies to should treat it just as seriously as the law.  This is because of the potential consequences of non-compliance. 

Any merchant that fails to comply with PCI DSS and experiences a data breach or other fraudulent activity that puts the security of cardholder data at risk is liable to incur significant penalties and lost business. The Ponemon Institute’s 2015 Cost of Data Breach study revealed the average cost of a UK data breach to be $3.8 million. 

Numerous big brands have hit the headlines in recent years for failing to protect customer data, which has cost millions or even billions of pounds in each case. In 2018, criminals managed to access Marriott Hotels’ reservation system, which compromised the personal data of almost 4 million people. In 2018, Wonga, the controversial payday lender, experienced a data breach that affected nearly 250,000 UK customers. Such stories have made consumers increasingly wary of sharing personal information. Businesses must demonstrate their commitment to maintaining the highest standards of security not only to avoid fines but also to retain customers and attract new ones. 

Fines and penalties can be imposed for non-compliance and data breaches. There are no set fees. But Barclaycard has recently stated that average fees in the UK for a small merchant are approximately £15,000, not including associated costs such as remediation fees and forensic investigation. These figures can be considerably higher for big businesses. 

Fines may be inflated if there is a crossover with the General Data Protection Regulation (GDPR). PCI DSS was established to protect payment card data and GDPR was introduced to protect personal information. However, as payment card data under PCI DSS is defined as “personally identifiable information”, a breach involving this data could also constitute a breach of GDPR. According to data released by the Information Commissioner’s Office (ICO), the average fines for breached financial information could have increased from £1.74 million to nearly £889 million since GDPR came into force in 2018.

The consequences of non-compliance with PCI DSS are significant and many businesses fail to recover from the fines, loss of business and the negative impact on company reputation. In comparison, the cost of gaining PCI DSS compliance is relatively low. The cost of achieving PCI DSS compliance will vary depending on the size and type of your business as well as several other factors. However, for a small business, it could be as little as a few hundred pounds per year. That’s money well spent if it helps you to avoid the potential consequences of non-compliance:

  • Legal costs
  • Penalties and fines
  • Lost business
  • Increased costs for future compliance
  • Cost of issuing new payment cards
  • Having your ability to process card payments revoked
  • Damage to the business brand

Take the First Step Towards PCI DSS Compliance Today

Callstream Vault is a comprehensive cloud-based PCI Level 1 certified solution for secure phone payments. If your business accepts payments over the phone, Callstream Vault provides peace of mind for the business and the customer. Customers can submit their credit card information without any details being shared with the sales agent or recorded by software. 

Talk to our team today on 0333 400 9990 to discuss your requirements and find out more about our PCI compliant Callstream Vault software.

Comments are closed for this post.