There has been a rise in the number of reported payment card data breaches within the retail and hospitality industries. Often it has been noted that the compromise occurred even though they were certified as compliant with the requirements of the Payment Card Industry (PCI) data security standard.
Most businesses work hard to understand and implement the PCI Compliance standards. As consumers unless we are directly involved in the process we do not have the same level of understanding as to what is covered by it.
PCI DSS is not law, but a set of standards that is agreed and enforced by the card issuers; Visa, MasterCard, American Express, Discover and JCB with acquiring banks and payment service providers.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards designed to protect payment card data. The standards provide an additional level of protection for consumers and reduce the risk of data breaches involving personal cardholder data.
Any organisation that transmits, stores or processes primary account numbers (PAN) is required to comply with the PCI DSS. In addition, where other cardholder data is stored, processed, or transmitted with PAN it must also be protected.
The standards are comprised of 12 broad requirements which are grouped into six key areas:
There is a huge difference between compliance and security, and certified companies do not have to fall into a false sense of security. Certification does not guarantee that a breach is not going occur.
PCI DSS demands only a minimum set of requirements and one size does not fit all. Here are some examples of what is covered by PCI DSS:
If you do not have a response plan then we would recommend that you take the following steps:
American Express, Discovery, and Visa require you to notify them immediately upon confirming a security breach. MasterCard requires to be notified within 24 hours of knowledge.
Businesses that are found to be out of compliance with the PCI DSS may be subject to fines by the entity they use to process their credit card transactions. Furthermore, non-compliant businesses that experience a data breach in which credit card data is actually stolen are subject to much larger fines and fees from the banks, card brands, etc.
Once the Card Schemes reviewed the forensic findings, they will decide if fines are required. These will be passed on to you as per your Merchant Agreement. It’s also important to make sure that the agreements you have with your Service Providers include the provision for compensation should they be identified as the point of compromise.
You may also be faced with penalties even when no breach has occurred. Non-compliance fines can be levied for the failure to undertake due diligence to ensure your Third Parties/Service Providers/Merchant Agents are and remain compliant with the PCI DSS.
Fines vary from case to case. As a guide, Visa penalty levels start at £10,000 and MasterCard at £5,000. These are just base fines as other charges may be applied depending on the nature of the breach.
Businesses that have been compromised have their PCI status set to Level 1 which is the highest level of compliance for 12 months. One of the requirements of which is to pay for the services of a Qualified Security Assessor (QSA) to complete the final Self Assessment Questionnaire (SAQ) or full Report on Compliance.