WWhhaatt iiss PPCCII CCoommpplliiaannccee??PCI DSS stands for "Payment Card Industry Data Security Standard," and refers to thesecurity guidelines for businesses that accept credit cards. PCI DSS providesbusinesses an actionable framework to protect cardholder data. PCI DSS is governedby the PCI Security Standards Council, and it was originally created using informationfrom Visas Cardholder Information Security (CISP) program and MasterCards SiteData Protection (SDP) program.IIss PPCCII CCoommpplliiaannccee mmaannddaattoorryy??PCI compliance is required for all businesses that accept credit or debit cardpayments. This requirement is not diminished by the size of the merchant, even if theyprocess very small volumes. Large merchants are required to have PCI compliancevalidated by a qualified security assessor (QSA). A qualified security assessor is aperson who has been certified by the PCI Security Standards Council to auditmerchants for PCI DSS compliance.QSAs are employed as impartial third parties during PCI-compliance audits of Level 1merchants (those who process over 6 million Visa transactions a year). During theaudit process, a QSA fills out a Report on Compliance (ROC) that verifies themerchants compliance with PCI DSS. The ROC is sent to the merchants acquiringbank, which then sends it to the appropriate credit card company for complianceverification.Small businesses are supposed to be PCI compliant, but its up to the businesss creditcard processor to verify.MMeerrcchhaanntt LLeevveellss && CCoommpplliiaanncceePCI guidelines separate merchants into four levels depending on the number oftransactions processed annually and how the merchant transmits cardholder data.Most businesses are classified as PCI level four, which is the lowest level of scrutiny:• Less than 20,000 E-Commerce transactions annually AND• Less than 1,000,000 Retail transactions annuallyFor level 4 merchants the processor and merchant service provider (MSP) todetermine validation requirements, and PCI compliance.PPrroocceessssoorr AApppprrooaacchheess ttoo PPCCII VVaalliiddaattiioonn
Not all processors are created equal and many have taken different approaches tovalidating PCI compliance, some better than others.First Data and their processors require all businesses to validate PCI compliance andprovide PCI support programs to help businesses become compliant. Businesses thatare not in compliance with the regulations are charged a PCI non-compliance fee.The Importance and What this Means to theMerchantCredit card data, personal information and private data attacks are a big part of “white-collar crime”. The internet provides a vehicle for these attacks such that they can beperpetrated from any location in the world. The business size and type has little to dothese days with potential data breeches and attacks. PCI compliance is not optionaland should be considered a key business policy. The PCI Security regulations havebeen implemented to secure everyones confidential information and data. Non-compliancy brings about fines and penalties from the payment card industry andproviders. Fines can include the following:• Fines of $500,000 per data security incident• Fines of $50,000 per day for non-compliance with published standards• Liability for all fraud losses incurred from compromised account numbers• Liability for the cost of re-issuing cards associated with the compromise• Suspension of credit card acceptance by a merchant’s credit card accountprovider• Loss of reputation with customers, suppliers, and partners• Possible civil litigation from breached customersThe consequences of not being PCI compliant range from $5,000 to $500,000, whichis levied by banks and credit card institutions. Banks may fine based on forensicresearch they must perform to remediate noncompliance. Credit card institutions maylevy fines as a punishment for noncompliance and propose a timeline of increasingfines. Its not unusual for businesses to be assessed large fines for lack of compliance. Arecent news article dated March 14, 2013, stated Genesco suffered a data breach in2010, and Visa collected $5,000 fines from all of its merchant banks, many of whichextracted the money from Genescos accounts, according to the report. Visa collectedmore than $13.3 million in penalties, and MasterCard extracted approximately $2.3million. According to court documents, the lawsuit alleges that Genescos breach didnot constitute a major violation of PCI compliance rules outlined by Visa, but the creditcard firm exacted the fines anyway. A copy of the court documents can be found here.http://www.wired.com/images_blogs/threatlevel/2013/03/Genesco-Complaint.pdf
Currently 38 states have enacted some sort of breach disclosure law. In general, moststate laws follow the basic tenets of Californias original law which was enacted back in2002. Companies who are breached must immediately disclose the data breach tocustomers, in writing. Companies must also notify their processor who will then notifythe bank. The processor or bank will then will initiate a PCI DSS audit on themerchant to see if the merchant was PCI DSS compliant at the time of the breach.