WWhhaatt iiss PPCCII CCoommpplliiaannccee??

PCI DSS stands for "Payment Card Industry Data Security Standard," and refers to the security guidelines for businesses that accept credit cards. PCI DSS provides businesses an actionable framework to protect cardholder data. PCI DSS is governed by the PCI Security Standards Council, and it was originally created using information from Visa's Cardholder Information Security (CISP) program and MasterCard's Site Data Protection (SDP) program.

IIss PPCCII CCoommpplliiaannccee mmaannddaattoorryy??

PCI compliance is required for all businesses that accept credit or debit card payments. This requirement is not diminished by the size of the merchant, even if they process very small volumes. Large merchants are required to have PCI compliance validated by a qualified security assessor (QSA). A qualified security assessor is a person who has been certified by the PCI Security Standards Council to audit merchants for PCI DSS compliance.

QSAs are employed as impartial third parties during PCI-compliance audits of Level 1 merchants (those who process over 6 million Visa transactions a year). During the audit process, a QSA fills out a Report on Compliance (ROC) that verifies the merchant's compliance with PCI DSS. The ROC is sent to the merchant's acquiring bank, which then sends it to the appropriate credit card company for compliance verification.

Small businesses are supposed to be PCI compliant, but it's up to the business's credit card processor to verify.

MMeerrcchhaanntt LLeevveellss && CCoommpplliiaannccee

PCI guidelines separate merchants into four levels depending on the number of transactions processed annually and how the merchant transmits cardholder data. Most businesses are classified as PCI level four, which is the lowest level of scrutiny: • Less than 20,000 E-Commerce transactions annually AND

• Less than 1,000,000 Retail transactions annually

For level 4 merchants the processor and merchant service provider (MSP) to determine validation requirements, and PCI compliance.

PPrroocceessssoorr AApppprrooaacchheess ttoo PPCCII VVaalliiddaattiioonn

Not all processors are created equal and many have taken different approaches to validating PCI compliance, some better than others.

First Data and their processors require all businesses to validate PCI compliance and provide PCI support programs to help businesses become compliant. Businesses that are not in compliance with the regulations are charged a PCI non-compliance fee.

The Importance and What this Means to the Merchant

Credit card data, personal information and private data attacks are a big part of “white-collar crime”. The internet provides a vehicle for these attacks such that they can be perpetrated from any location in the world. The business size and type has little to do these days with potential data breeches and attacks. PCI compliance is not optional and should be considered a key business policy. The PCI Security regulations have been implemented to secure everyones confidential information and data. Non-compliancy brings about fines and penalties from the payment card industry and providers. Fines can include the following:

• Fines of $500,000 per data security incident • Fines of $50,000 per day for non-compliance with published standards • Liability for all fraud losses incurred from compromised account numbers • Liability for the cost of re-issuing cards associated with the compromise • Suspension of credit card acceptance by a merchant’s credit card account provider • Loss of reputation with customers, suppliers, and partners • Possible civil litigation from breached customers The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. Its not unusual for businesses to be assessed large fines for lack of compliance. A recent news article dated March 14, 2013, stated Genesco suffered a data breach in 2010, and Visa collected $5,000 fines from all of its merchant banks, many of which extracted the money from Genesco's accounts, according to the report. Visa collected more than $13.3 million in penalties, and MasterCard extracted approximately $2.3 million. According to court documents, the lawsuit alleges that Genesco's breach did not constitute a major violation of PCI compliance rules outlined by Visa, but the credit card firm exacted the fines anyway. A copy of the court documents can be found here. http://www.wired.com/images_blogs/threatlevel/2013/03/Genesco-Complaint.pdf

Currently 38 states have enacted some sort of breach disclosure law. In general, most state laws follow the basic tenets of California's original law which was enacted back in 2002. Companies who are breached must immediately disclose the data breach to customers, in writing. Companies must also notify their processor who will then notify the bank. The processor or bank will then will initiate a PCI DSS audit on the merchant to see if the merchant was PCI DSS compliant at the time of the breach.