Who Imposes PCI Compliance Fines? Busting the Penalty Myths
Every merchant who processes, stores, or transmits payment card data is subject to the Payment Card Industry Data Security Standards (or PCI DSS), but many don’t understand the potential penalties for non-compliance. Often, independent retailers only have a hazy idea of what’s expected of them – and that can put them at a disadvantage.
Some of the biggest misunderstandings about PCI compliance center on enforcement: who imposes fines and validates compliance? The answers aren’t just academic. In fact, they have some important implications for a retailer’s overall PCI strategy.
What PCI Is – And Isn’t
First off, PCI isn’t a law. Its real origin is right there in the acronym: “Payment Card Industry.”
In the early 2000s, the major credit card brands decided to band together to combat fraud. They had a strong incentive: consumers were liable for up to $50 of fraudulent purchases made in their name, but the card brands were on the hook for the rest.
So these companies worked together to create a set of standardized information security guidelines – and the PCI DSS was born. Additionally, they all pitched in to create an independent organization called the PCI Security Standards Council, charged with maintaining the standards and educating merchants and banks about them.
Take note: “merchants and banks.” That’s an important piece of the PCI puzzle for independent retailers. PCI compliance isn’t enforced by the government or the PCI Security Standards Council. In fact, it’s enforced by the retailer’s own acquiring bank. (The acquiring bank is the organization that processes credit cards on behalf of the merchant.)
Why and How Banks Enforce PCI Compliance
Why are acquiring banks interested in PCI compliance in the first place? Well, if a business is not compliant with the PCI DSS requirements, the credit card brands may assess fines on the business’s acquiring bank. Fines may range from $5,000 to $100,000 a month or more until the retailer gets in compliance, depending on the circumstances. Retailers can expect that their acquiring bank, in turn, may choose to recoup its losses by assessing similar fines on the retailer for its non-compliance.
Since banks are responsible for enforcing PCI compliance, they can decide how they wish to verify a merchant’s compliance (and how they penalize non-compliance).
And this is where it pays for retailers to know how PCI really works. Once they understand that their acquiring bank will determine how they must demonstrate compliance with PCI, retailers can have up-front conversations with their banks about what is expected. If a retailer hasn’t yet chosen an acquiring bank, it can even consider how various banks’ PCI enforcement policies might be most beneficial.
For example, there are two primary ways banks choose to have merchants demonstrate compliance: through a self-reporting checklist or via a full audit conducted by a Qualified Security Assessor. Each approach has its advantages – self-reporting may mean less hassle for some retailers, but an audit may provide a greater sense of security.
Whether a beginning or experienced independent retailer, all merchants should talk with their acquiring bank and check out the PCI Security Standards Council’s web page for small and medium businesses. By learning more about PCI compliance responsibilities and effective security strategies, merchants can be better equipped to protect their business and customers and to ensure that their practices properly protect payment card data.
Contributed by Mark Burnette, a partner with LBMC Security & Risk Services, Mark directs the firm’s resources to craft security solutions that mitigate security risks in a way that is practical and relevant to the organization’s environment. Mark has received numerous commendations for his contributions to information security on behalf of his employers and the community at large. Most recently, the Information Systems Security Association (ISSA) named Mark a Fellow, one of a handful of individuals recognized for their accomplishments in information security, leadership, and service to the association and profession.