How to report a PCI DSS Violation?
There has been a rise in the number of reported payment card data breaches within the retail and hospitality industries. Often it has been noted that the compromise occurred even though they were certified as compliant with the requirements of the Payment Card Industry (PCI) data security standard.
Most businesses work hard to understand and implement the PCI Compliance standards. As consumers unless we are directly involved in the process we do not have the same level of understanding as to what is covered by it.
PCI DSS is not law, but a set of standards that is agreed and enforced by the card issuers; Visa, MasterCard, American Express, Discover and JCB with acquiring banks and payment service providers.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards designed to protect payment card data. The standards provide an additional level of protection for consumers and reduce the risk of data breaches involving personal cardholder data.
Any organisation that transmits, stores or processes primary account numbers (PAN) is required to comply with the PCI DSS. In addition, where other cardholder data is stored, processed, or transmitted with PAN it must also be protected.
The standards are comprised of 12 broad requirements which are grouped into six key areas:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitor and test networks
- Maintaining an information security policy
What is covered by PCI DSS?
There is a huge difference between compliance and security, and certified companies do not have to fall into a false sense of security. Certification does not guarantee that a breach is not going occur.
PCI DSS demands only a minimum set of requirements and one size does not fit all. Here are some examples of what is covered by PCI DSS:
- Credit card information (including the cardholder’s name and account number) left in public and/or non-authorised view, such as on an employee’s desk or computer screen
- Paper forms containing full credit card information stored in unlocked cabinets
- Usernames and passwords to electronic accounts holding payment data are not sufficiently protected
- The business’s electronic point-of-sale system is connected to other systems or devices
Examples that fall outside of PCI DSS
- You didn’t authorise the business to charge your credit card, but they did so anyway
- You haven’t received a refund on a disputed credit card charge
- You were asked to write your credit card information on a paper form
- Your full credit card number was printed on a sales receipt
What steps should you follow to report a non-PCI-compliant merchant?
- Always contact the merchant first, so that they have an opportunity to resolve the issue themselves.
- If you fail to get a resolution and you know which payment service provider the organisation uses, then report the violation to them, you can also report it to the card issuers
- If you feel that your payment card data may become compromised, contact your issuing bank and alert them. They will be able to cancel your card and re-issue a new one.
What should a merchant do if they are compromised?
If you do not have a response plan then we would recommend that you take the following steps:
- Contact your acquiring bank and inform them that you have been compromised
- Ensure that no-one can access or alter compromised systems
- Isolate the compromised systems from your network and unplug any network cables without turning the systems off
- Preserve all logs and similar electronic evidence
- Perform a back-up of your systems to preserve their current state, which will facilitate any subsequent investigations
- Log all actions you take
- Seek advice before you process any further transactions
American Express, Discovery, and Visa require you to notify them immediately upon confirming a security breach. MasterCard requires to be notified within 24 hours of knowledge.
What are the consequences of non-compliance or violation?
Businesses that are found to be out of compliance with the PCI DSS may be subject to fines by the entity they use to process their credit card transactions. Furthermore, non-compliant businesses that experience a data breach in which credit card data is actually stolen are subject to much larger fines and fees from the banks, card brands, etc.
Once the Card Schemes reviewed the forensic findings, they will decide if fines are required. These will be passed on to you as per your Merchant Agreement. It’s also important to make sure that the agreements you have with your Service Providers include the provision for compensation should they be identified as the point of compromise.
You may also be faced with penalties even when no breach has occurred. Non-compliance fines can be levied for the failure to undertake due diligence to ensure your Third Parties/Service Providers/Merchant Agents are and remain compliant with the PCI DSS.
Fines vary from case to case. As a guide, Visa penalty levels start at £10,000 and MasterCard at £5,000. These are just base fines as other charges may be applied depending on the nature of the breach.
What should merchants do next
Businesses that have been compromised have their PCI status set to Level 1 which is the highest level of compliance for 12 months. One of the requirements of which is to pay for the services of a Qualified Security Assessor (QSA) to complete the final Self Assessment Questionnaire (SAQ) or full Report on Compliance.