Monthly Archives: October 2015

Are TalkTalk and British Gas failing to comply with PCI DSS?

It has been a worrying week for a lot of customers in the UK, as TalkTalk announced a significant data breach, with all four million customers potentially affected. This was followed by another breach at British Gas, albeit one of a much smaller scale. However, the British utility company had to contact more than 2,000 of their customers to warn them that their passwords and email addresses had been posted on the Internet. The companies have been quick to calm customers down and cover their own backs, with TalkTalk claiming they have spent extensively in security systems. But, one company has revealed that they believe both TalkTalk and British Gas have failed to comply with PCI DSS.


High-Tech Bridge is an information security company, based in Switzerland, and they have claimed that there are a huge number of companies that are leaving customers at risk by not securing their data effectively. The company ran its SSL checker tool on both the British Gas site and the TalkTalk website, and the results of their check indicated that both companies are failing to be compliant. In fact, they gave British Gas a final score of ‘F’ for their security system. The search flagged up a whole host of reasons why British Gas were failing to be PCI complaint, suggesting that it upgrades its TLS engine because it supports insecure renegotiation, to review their supported cipher suites, to review their supported protocols, and much more.

But, it’s not just British Gas customers that need to be worried, according to High-Tech Bridge; only 12 per cent of 161 companies from the Forbes Global 2000 are currently compliant with PCI DSS requirements. This is a truly worrying statistic. So, is it a sheer lack of responsibility? Or, do companies still not understand their duty to be compliant? It’s impossible to give a clear answer, although the latter is undoubtedly playing a role. A lot of businesses feel that PCI compliance is too confusing and expensive. There is no denying that there is a lot to understand, but it doesn’t have to be expensive nor does it have to be complex. You simply need to align yourself with a service provider who can take care of this side of your business for you.

Consequences of failing PCI compliance

There are many businesses throughout the UK that are ignoring their responsibility to achieve PCI compliance. This applies to any company that stores, transmits, or process cardholder information. Thus, if you take credit or debit card payments, even if it is on a rare occasion, you need to be concerned with the PCI DSS. Read on to discover more about some of the critical consequences of failing PCI compliance.

Remediation costs

You are going to have to spend a considerable sum of money getting to the bottom of what happened and fixing the security vulnerabilities that have been exploited. This could mean hiring and firing employees, using the services of outside security experts, and such like. One thing is for sure – it is not going to be cheap.

Reputational damage

Your business’s reputation is guaranteed to take a massive hit if you are shown to have neglected your duty to be compliant. Customers will think twice about using your services because they will be worried that their personal information and payment details are not going to be secure. Something like this can be extremely difficult to come back from. In fact, many businesses have closed down because of it.

Legal action

It is not uncommon for companies to face legal action when they have been the victims of a cyber security breach. Hack victims are increasingly likely to file suit. Not only does this mean more negative press for your business, but also irrespective of whether you win or lose the case, legal action is going to cost you a considerable sum of money.

Compensation costs

As mentioned earlier, trust is going to be completely broken, and you have a massive task on your hands when it comes to rebuilding it. This rebuilding process is going to cost you a significant amount in terms of compensation costs. From identity theft insurance to free credit monitoring, there are various strategies you can use to try and get your customers on side, but they are going to cost you.

Bank fines

When a customer’s credit or debit card has been used to buy something fraudulently, it is the banks that have to reimburse your customers. However, they are not going to do this out of their own pockets. And, thus, the costs are passed onto you in the form of fines. There is no telling how much this can be. Of course, it all depends on how much damage the hackers have done.

Lost revenue

Last but not least, your revenue will undoubtedly take a massive hit, and there are several different reasons why. Firstly, you will have to focus all of your efforts on the breach and fixing the damage, and thus you will not be able to concentrate on the core of your business, i.e. what makes you money. Secondly, the biggest damage to your reputation is the fact that your customers will have lost trust, and, therefore, people are going to be reluctant to spend money with your business.