Imagine a business owner leaving the back door and vault unlocked every night from January until October. Then they keep their fingers crossed that nobody will burglarize them. That’s absurdly unrealistic. But the average business in 2018 essentially left its valuable credit card systems vulnerable for that same amount of time.
Unfortunately, these avoidable weaknesses can have a devastating, long-term impact on businesses as well as their customers. A 2019 analysis of data breaches last year explained that sensitive cardholder data was captured and stolen for an average of 127 days during 2018. That’s about four months or more. So the impact is comparable to being robbed every third day, all year long.
When that happens, it’s time to do something about it. Sure, those affected businesses may have locked their doors and turned on security cameras and alarm systems. But most criminals in this day and age attack by other means. They steal through unsecured computer networks and payment systems. The study also found that businesses that were hacked typically didn’t adhere to recommended PCI compliant protocols. That underscores the fact that PCI compliance really matters.
Businesses that are noncompliant invite unnecessary risk on multiple levels. Sixty-one percent did not have their cardholder data secured, and 62 percent were not PCI-complaint in terms of antivirus protections. More than half of those surveyed had not completed system updates at the time of their breach. Sixty-five percent did not implement PCI compliant logging and log monitoring, and the negligence made the hacker’s job easier. In 67 percent if the incidents, failure to conduct PCI-compliant vulnerability scans and penetration tests contributed to the breach. Similarly, a lack of start documentation and risk assessments contributed to a whopping 70 percent of the breaches that were analyzed.
A lack of unique ID credentials contributed to a number of successful attacks, and 33 percent were due to internal malfeasance perpetrated by employees. Likewise, 17 percent of the breaches happened because of email phishing. But half of the breaches were conducted remotely, through protective firewalls. Firewalls are often relied upon to stop that kind of external attack. But analysis showed that in the majority of reported incidents the breaches still occurred, despite the presence of a firewall. PCI compliance could have potentially served as the much-needed safeguard. No wonder Harvard Business Review has called PCI compliance “a vital first line of defense against data theft.”
Breaches do terrific financial damage and can expose companies to crippling liability and destruction of brand confidence. In the wake of a successful breach the majority of small business fold, within just six months’ time. As the 2019 analysis highlights, prior planning with proactive implementation of PCI compliance is a critical key to success.
While that used to be harder, today’s advanced payment processing platforms offer an easy, user-friendly solution. There’s no need to hire in-house IT staff or do costly infrastructure upgrades. The only real impediment is willingness on the part of the business. But considering the downside impact of a breach, businesses should find it easy to get motivated to achieve PCI compliance, as soon as possible.