What is PCI Compliance

1. WWhhaatt iiss PPCCII CCoommpplliiaannccee??
PCI DSS stands for "Payment Card Industry Data Security Standard," and refers to the
security guidelines for businesses that accept credit cards. PCI DSS provides
businesses an actionable framework to protect cardholder data. PCI DSS is governed
by the PCI Security Standards Council, and it was originally created using information
from Visa's Cardholder Information Security (CISP) program and MasterCard's Site
Data Protection (SDP) program.
IIss PPCCII CCoommpplliiaannccee mmaannddaattoorryy??
PCI compliance is required for all businesses that accept credit or debit card
payments. This requirement is not diminished by the size of the merchant, even if they
process very small volumes. Large merchants are required to have PCI compliance
validated by a qualified security assessor (QSA). A qualified security assessor is a
person who has been certified by the PCI Security Standards Council to audit
merchants for PCI DSS compliance.
QSAs are employed as impartial third parties during PCI-compliance audits of Level 1
merchants (those who process over 6 million Visa transactions a year). During the
audit process, a QSA fills out a Report on Compliance (ROC) that verifies the
merchant's compliance with PCI DSS. The ROC is sent to the merchant's acquiring
bank, which then sends it to the appropriate credit card company for compliance
verification.
Small businesses are supposed to be PCI compliant, but it's up to the business's credit
card processor to verify.
MMeerrcchhaanntt LLeevveellss && CCoommpplliiaannccee
PCI guidelines separate merchants into four levels depending on the number of
transactions processed annually and how the merchant transmits cardholder data.
Most businesses are classified as PCI level four, which is the lowest level of scrutiny:
• Less than 20,000 E-Commerce transactions annually AND
• Less than 1,000,000 Retail transactions annually
For level 4 merchants the processor and merchant service provider (MSP) to
determine validation requirements, and PCI compliance.
PPrroocceessssoorr AApppprrooaacchheess ttoo PPCCII VVaalliiddaattiioonn

2. Not all processors are created equal and many have taken different approaches to
validating PCI compliance, some better than others.
First Data and their processors require all businesses to validate PCI compliance and
provide PCI support programs to help businesses become compliant. Businesses that
are not in compliance with the regulations are charged a PCI non-compliance fee.
The Importance and What this Means to the
Merchant
Credit card data, personal information and private data attacks are a big part of “white-
collar crime”. The internet provides a vehicle for these attacks such that they can be
perpetrated from any location in the world. The business size and type has little to do
these days with potential data breeches and attacks. PCI compliance is not optional
and should be considered a key business policy. The PCI Security regulations have
been implemented to secure everyones confidential information and data. Non-
compliancy brings about fines and penalties from the payment card industry and
providers. Fines can include the following:
• Fines of $500,000 per data security incident
• Fines of $50,000 per day for non-compliance with published standards
• Liability for all fraud losses incurred from compromised account numbers
• Liability for the cost of re-issuing cards associated with the compromise
• Suspension of credit card acceptance by a merchant’s credit card account
provider
• Loss of reputation with customers, suppliers, and partners
• Possible civil litigation from breached customers
The consequences of not being PCI compliant range from $5,000 to $500,000, which
is levied by banks and credit card institutions. Banks may fine based on forensic
research they must perform to remediate noncompliance. Credit card institutions may
levy fines as a punishment for noncompliance and propose a timeline of increasing
fines.
Its not unusual for businesses to be assessed large fines for lack of compliance. A
recent news article dated March 14, 2013, stated Genesco suffered a data breach in
2010, and Visa collected $5,000 fines from all of its merchant banks, many of which
extracted the money from Genesco's accounts, according to the report. Visa collected
more than $13.3 million in penalties, and MasterCard extracted approximately $2.3
million. According to court documents, the lawsuit alleges that Genesco's breach did
not constitute a major violation of PCI compliance rules outlined by Visa, but the credit
card firm exacted the fines anyway. A copy of the court documents can be found here.
http://www.wired.com/images_blogs/threatlevel/2013/03/Genesco-Complaint.pdf

3. Currently 38 states have enacted some sort of breach disclosure law. In general, most
state laws follow the basic tenets of California's original law which was enacted back in
2002. Companies who are breached must immediately disclose the data breach to
customers, in writing. Companies must also notify their processor who will then notify
the bank. The processor or bank will then will initiate a PCI DSS audit on the
merchant to see if the merchant was PCI DSS compliant at the time of the breach.