PCI limited service guarantees help fill in security gaps after compliance.

By: Chase Palmer
Please raise your hand if you’ve ever felt intimidated by PCI compliance. You’re not alone. It’s a tall order to be 100% compliant with up to 270 items on a PCI Self-Assessment Questionnaire. What if you misunderstand a requirement? What if you accidentally miss something? Well there’s good news. You don’t have to be perfect.

The purpose of the PCI DSS is to address a business’s most glaring security errors. For accidental or missed errors, a PCI compliance limited services guarantee helps mitigate a business’s financial risk. These limited guarantees are often included as part of a PCI compliance program provided by some PCI compliance vendors. The purpose is not to change your attitude toward PCI or allow you to abandon PCI requirements, to but act as a failsafe.

When all other PCI security protocols have been followed to the best of your ability, these service guarantees exist to address the financial hardships your business might endure in the aftermath of a compromise.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

The real cost of a breach

Speaking of breaches, the $5,000 to $50,000 compromise fine assessed by most merchant processors is only the beginning of penalties after a data breach. Other costs may include:
  • A required forensic investigation, from $12,000 to $100,000
  • Onsite assessments by a certified Qualified Security Assessor (QSA) for years following the breach, from $20,000 to $100,000
  • An increase in monthly card processing fees
  • Annual credit monitoring services for compromised customers
  • Card re-issuance penalties, from $3 to $10 per card
  • Customer fraudulent charge reimbursement
  • Federal/municipal fines
  • Brand damage, especially if negligence was involved
  • Legal fines if customers initiate a class-action lawsuit

Limited services guarantees can cover costs relating to a card data compromise up to a financial limit (e.g., $100,000). This financial assistance can be used to cover all compromise expenses relating to PCI DSS and HIPAA data security standards.


These guarantees make most financial sense when combined with other tools that reduce actual risk, such as internal scanning tools that help find and remove stored card data, and strong policies that help prevent data loss. Some breach protection programs include such tools.


How much does it cost?

Well, since your breach protection is actually rolled into your PCI compliance, the cost is whatever your PCI compliance program costs through your PCI vendor.

Chase Palmer is the Senior Program Manager and has been working at SecurityMetrics for seven years. He manages the company’s largest corporate partners in running mass Level 4 PCI DSS programs worldwide. Chase has a Bachelor’s degree in Business Management from Western Governor’s University. He currently lives in Provo, Utah, and he loves everything about motorcycles.
Monday, June 9, 2014