If you are a Payment Card Merchant and are not yet PCI DSS compliant, take notice. It could end up being one of the biggest cost in penalties your company could incur.
High-status cases concerning big corporations have hit the headlines in the last couple of years. The Payment Card Industry has threatened huge fines against some larger merchants of up to $25,000 per month until compliance is obtained. In the high-profile case of TJX (owner of T.J. Maxx, Marshalls, Home Goods and A.J. Wright retail chains), the company reported spending $202 million because of the PCI violation that compromised the card-holder account information of as many as 40 million customers. The money is being spent to handle more 20 lawsuits brought against it by banks and consumers in the U.S. and Canada and to pay settlements with credit-card associations. I don't see how the smaller business owner can gamble with the penalties for non-compliance.
If you are one of these businesses and are not yet compliant, you are constantly at risk of losing sensitive card-holder data, which will most likely result in PCI DSS fines, legal action and bad publicity. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle card-holder data. Theft of sensitive information such as credit card information come from not only external threats but insider threats as well. The PCI Security Standards Council website provides a wealth of information for understanding and navigating the PCI DSS. User forums such as the LinkedIn PCI DSS Compliance Specialist and vendor blogs and websites are also good sources of free information.
Is PCI compliance a law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade association to enact a federal law around data security and breach notification.
While the credit card companies may have ZERO legal authority to levy fines on any business, all the merchant card agreements, I’ve read include a clause where the merchant agrees to pay all fines from the card brand that were incurred by the bank, check your merchant agreements small print.
Taking a look at the Visa, Inc.'s agreement it states "PCI DSS compliance is required of all entities that store, process, or transmit Visa cardholder data, including financial institutions, merchants and service providers. The PCI DSS applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, ande-commerce. Visa Inc.'s compliance programs manage compliance with the PCI DSS with the required program validation."
PCI DSS has created and imposed a comprehensive list of standard requirements which companies are to adhere to in order to ensure that the account data of all customers is protected. Essentially, if your organization processes any form of credit card information during your business practices then your company should be compliant to the PCI DSS standards.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment