The Cost of Non-Compliance

By Dr. Heather Mark

In recent years, the payments space has seen an explosion of new players.  This dramatic growth is good for the industry.  It drives competition and innovation.  The pace of change brings with it challenges, too.  One of those challenges can be the adaptation of traditional software companies to the unique risk and compliance requirements in the payments ecosystem.  These compliance obligations are often viewed as costly requirements that add friction to the process, but in reality they not only protect the company’s clients and end-users, it also protects the company’s revenue.  A common question among those new to the payments world is, “how much does compliance cost?”  That question, though, is a little myopic.  A more cogent question might be “how much will it cost our company to be non-compliant?”

In the payments industry, the consequence of non-compliance that comes to mind is the assessment associated with non-compliance with the Payment Card Industry Data Security Standards.   Each of the card brands assesses penalties separately, so a non-compliance finding or a breach carried with it the possibility of assessments from each of the four card brands.  For example, Visa’s published non-compliance assessment schedule (available in its Core Rules ) begins at up to $50,000 per non-compliance finding for the first violation. Mastercard’s assessment schedule can be found in their Rules, as well.  The assessments increase sharply for subsequent findings.  It should be noted that these assessments are merely for not being compliant with the security requirements promulgated by the brands.  This is not an assessment as a result of a breach.

In addition to the card brand consequences of non-compliance, in the event of a breach that exposes cardholder data, the bad news piles up quickly. All fifty states now have data breach notification requirements, meaning that an entity that suffers a breach in which personal data is compromised and there is a high risk of identity theft or financial fraud must notify affected consumers.  While the cost of notification and managing the public relations fall-out is high, so too is the likelihood of a class action suit.  While these suits are often dismissed on the grounds that the plaintiffs don’t have standing (fertile ground for another blog post) the fact is that companies legal spend skyrockets in responding to these cases and working to get them dismissed.

In egregious cases, companies may attract the notice of the federal regulators.  The Federal Trade Commission (FTC) is tasked with protecting consumers from unfair and deceptive trade practices.  The FTC has used this power, provided by §5A of the Federal Trade Commission Act, to take action in the event of a data breach in which consumer data is exposed.  A list of FTC enforcement actions regarding Privacy and Security related events can be found on the FTC website.  In egregious cases, entities may face fines and penalties, pay remuneration to affected consumers, and may be required to submit their compliance or security programs to FTC oversight for up to 20 years.

Fortunately, there are means to reduce interaction with regulated or protected data.  Some of these methods include:

  • Hosted Payment Pages – merchants can accept payments through the use of a hosted payment page. The Payment Page is hosted by a PCI DSS validated, registered service provider.  The payment information posts directly from the consumer to the service provider, bypassing the environment of the healthcare provider.
  • Tokenization – in this solution, the payment information is replaced with a randomly generated value that used to represent the payment mechanism. The healthcare provider can still use that token to process subsequent payments, as may be useful for patients on payment plans, reporting purposes, patient payment analysis, and chargeback or dispute purposes.  The benefit here is the reduced payment data footprint within the organization.
  • PCI Validated Point to Point Encryption (P2PE) – a P2PE solution is one in which the cardholder data is encrypted from the point of interaction (swipe, dip, entry) all the way through the processor. The payment is processed, but when the authorization response is sent to the healthcare organization, the payment data is replaced with a token.

While the regulatory environment is constantly changing, and threats to data will continue to evolve, the payments industry continues to adapt technologies to mitigate the risk to data.  Understanding how these technologies can be deployed to mitigate your data risk can help improve the customer experience and protect your bottom line.