PCI noncompliance may end in legal action

When you hear about Payment Card Industry compliance, it's often on the news when there has been a major data breach. You can likely think of a few stores that have been in the media the past few years for losing customer information during security hacks. Why do you think these companies didn't fix their data security issues before a problem arose? They didn't know they weren't following proper PCI standards.

According to Lexology, the Consumer Financial Protection Bureau, the Securities and Exchange Commission and the Federal Trade Commission are fining and settling with organizations that they accuse of having inadequate cybersecurity practices. What does this mean for nonprofits? Read on.

What are legal actions for security noncompliance ?
Lexology mentioned that the CFPB fined an Iowa payment processor $100,000 for misrepresenting its cybersecurity practices. The processor said their transactions were "safe" and that it encrypted funds using the same standards as the federal government. The payment processor did not experience a security hacking, but the CFPB fined them instead because it stated the company was making false claims. 

Focus on PCI: A Data Security Standards Guide wrote about potential PCI noncompliance fines. The publication listed the following possible consequences doled out by credit card companies and banks. It is based off of Visa's time-cost schedule:

  • 1-3 months of noncompliance at Level 1 = $10,000 monthly, Level 2 = $5,000 monthly.
  • 4-6 months of noncompliance at Level 1 = $50,000 monthly, Level 2 = $25,000 monthly.
  • 7 months and on of noncompliance at Level 1 = $1000,000 monthly, Level 2 = $50,000 monthly.

What else happens in the event of PCI noncompliance?
Keep in mind that not every organization that isn't up to par on PCI compliance will incur a security breach. However, even if a nonprofit or company is completely PCI compliant and follows every standard, from frequent risk assessments to monitoring threats and so on, no cyber information is ever fully protected. The organization may still endure an information breach. 

What happens if your cybersecurity is not enough? 
There is always a chance that someone will want your nonprofit or donor information badly enough that they will break into your payment processor and steal information. This is not just a legal issue. Organizations who experience cybersecurity breaches undergo much longer impacts than just the loss of data. Think about it: how would you feel after learning a store you frequently spend money at may have accidentally lost your name, address, phone number and credit card information? Would you want to go back and make more purchases? It's common for people to rethink their choices, potentially avoiding the organization altogether.

Nonprofit donors are no different. Even if they love your cause and want to help, they will very likely think twice before donating to you again. Some people will simply choose to donate via another route, opting out of online options like entering their card information and instead writing personal checks or handing you cash in person. While these fundraising methods are helpful, they are not ideal. Comply with the PCI standards and you'll have a far less likely chance of experiencing a cybersecurity hack and losing the trust and money of your donors. 

Back to News