The Payment Card Industry Data Security Standard (PCI DSS) is the main information security standard for organizations that process credit or debit card information must abide by. The guidelines established in PCI DSS cover how to secure data handling processes.
While most organizations work to avoid PCI compliance breaches through the requirement’s stringent conditions, Verizon’s forensics team, which conducts regular Payment Security Reports, has never found an organization that was wholly PCI DSS compliant at the time it was breached.
It’s not that hackers are finding novel ways of infiltrating these organizations. A 2020 study from SecurityMetrics discovered that all the weak points exploited by attackers in PCI compliance breaches were explicitly covered by the PCI DSS.
Top Five PCI Compliance Breaches
There have been many PCI data breaches in the last several years, alongside simple compliance lapses caught by authorities. Whenever customer payment card data is exposed, it falls under PCI DSS non-compliance.
Because the PCI DSS is a requirement mandated by contracts between merchants and credit card brands rather than a law, non-compliance typically becomes apparent in the aftermath of a data breach. It’s rare that compliance breaches are discovered before the fact.
1. Magecart Attack on Warner Music Group
Magecart, a conglomerate of hacking groups that target payment card data online, zeroed in on Warner Music Group (WMG) for three months in late 2020. Payment card information, including card number, CVC/CVV, and expiration date, were exposed in the months the attack was ongoing. Magecart’s modus operandi is to focus on the supply chain, where third-party software can be infected and used to skim customer data as purchases are made.
Related Reading: Top Data Breaches of 2020
2. Target Lost Data on 40 Million Cards
Despite alerts in place, Target lost 40 million credit card numbers back in 2013 – still among one of the most shocking PCI DSS compliance breaches to date. Target had a $1.6 million malware detection tool in place, but for three weeks missed critical warnings from the software. This resulting data theft cost Target nearly $18.5 million in settlements across the U.S. alongside more than $202 million spent on legal fees.
3. Adobe’s Million Dollar Data Breach
Out of 38 million impacted Adobe customers, whose login information was stolen, three million also had their credit card records lifted. Adobe subsequently offered one year’s worth of credit monitoring to their impacted customers and was also fined $1 million to settle in 15 states, alongside an undisclosed amount to settle claims of violating the Customer Records Act.
4. Heartland Payment Systems Loses Processing Privileges
In one rarer instance of the intermediary getting hacked, Heartland Payment Systems, which processed payment card transactions for 175,000 merchants, was breached via SQL injection. Both Visa and Mastercard notified the company, and it was subsequently banned from processing payments of major credit card providers for 14 months following the discovery. They also paid out approximately $145 million in compensation.
5. Equifax
No list of the biggest data breaches is complete without Equifax. With over 143 million Americans affected, or 45 percent of the U.S. population at the time (not to mention the Britons and Canadians whose data was also breached), this data breach left a huge impact. The data lost included social security numbers, birth dates, addresses, driver’s licenses, and credit card numbers. The settlement totaled $425 million, and those impacted can still file claims for expenses until January 2024 for any identity theft or fraud related to the breach.
What PCI Non-Compliance or Data Breach Can Cost Your Organization
Only 27.9 percent of organizations are fully compliant with the PCI DSS according to Verizon’s latest Payment Security Report.
If your organization is among the unlucky contingent that experiences a security breach and it’s found that you were non-compliant with the PCI DSS, your organization will likely suffer fines and penalties from the payment card brand alongside any settlements or reimbursements to customers.
Get the Datasheet: Meeting PCI DSS Requirements
Non-Compliance
The non-compliance fines you may face depend on two factors:
- The organization’s size, which is determined by how many transactions it processes per year. Organizations are split into four levels, where level four processes few payments (and face lower fines), and level one processes the most payments.
- How long the organization was non-compliant. Fines are imposed monthly until the organization meets the standard.
Organizations are also responsible for paying for any audits to confirm that they are PCI DSS compliant. Further, your merchant account with the brand could also be revoked, meaning that you would no longer be able to process transactions.
Your organization could also be sued for PCI DSS non-compliance by other credit card associations or the acquiring bank.
Data Breaches
Your organization is on the hook for any breached customer data, even if your organization was fully PCI compliant. Alongside a fine, your organization would be responsible for up to $90 per compromised credit card record. Customers whose data was lost in the breach could also take legal action in the form of a class-action lawsuit.
Related Reading: How a Data Security Breach Puts Your Organization at Risk
How to Comply with the PCI DSS
While PCI breaches are still attributed to point-of-sale (POS) systems, web applications are now the top venue for retail breaches. Despite this, companies are spending only about seven percent of their total IT budget on security.
There are some initial, common sense steps IT teams can take to establish PCI DSS compliance groundwork:
- Enforce password policies
- Restrict access to systems and networks that store PCI data
- Use role-based access to minimize the number of users who can view sensitive data
- Regularly test your system for gaps
PCI DSS compliance doesn’t have to be difficult. Both wide-reaching and niche solutions can help you cover common gaps, since PCI DSS compliance is an arena nearly every organization has to cover. A security software solution can protect your data with strong encryption methods, detailed audit logs for internal and external use, and alerts for both successful and failed data transfers, so you know the status of all file movement.
Related Reading: 7 Essential Resources on PCI DSS Security
