This article says it perfectly, and a lot of security specialists agree that it's when - not if - you get affected in someway by a breach. Whether it's your customer's clients details being stolen or your own.
We've touched upon the security of outsourced payment models, and the lengths they go to to protect customer's data and assist in PCI DSS compliance. A big part of the solution is to outsource any data that isn't imperative to your business. But in reality, you can tick as many boxes as you like, be it PCI DSS, COBIT, HIPPAA or many others - if your environment isn't secure, the ramifications will still be the same when you get breached.
Depending on your business, there will be payment solutions that can reduce your risk - such as P2PE for businesses accepting face-to-face payments, or hosted re-direct payment models for websites. For eCommerce businesses, a hosted re-direct payment page or secure iframe is proving to not be enough to deter hackers. Your #1 priority should be a secure website and there are solutions available to you, such as a Web Application Firewall, or File Integrity Monitoring and more. Such technologies significantly reduce business risk and do not require advanced security skills to manage.
Adding those extra layers of security to your website could be the difference between happy and safe customers and a potential data disaster.
Cyberthreat: Learning to live with the risk And bring your tools, people and partners together _________ Cyberthreats are like the common cold or some other infectious virus; eventually you’re going to get sick. It’s a part of life. They’re always there, lurking just around the corner, waiting to make your life that little bit harder. At the same time, you can’t focus entirely on potential risks to your business at the expense of developing it. You must protect yourself without freezing everything and preventing future development. That means adopting a grown-up approach to risk management, and allocating your budget judiciously to give yourself the maximum protection while still keeping your IT systems flexible enough to support new ways of doing things. So how does that work?