![]() ![]() In addition, fines ranging from $50 to $90 can be imposed for each customer who's affected in some way by a data breach.Īgain, keep in mind that these aren't "fines" in the same sense that, say, you'd pay for violating some government regulation or traffic law they're penalties built into a contract between merchants, payment processors, and card brands. For instance, fines are assessed per month of non-compliance and the per-month charge increases for longer periods, so a company might pay $5,000 a month if they're out of compliance for three months, but $50,000 a month if they go as long as seven months. It can be difficult pin down a typical fine amount, but IS Partners provides some ranges in a blog post. Fines can vary from payment processor to payment processor, and are larger for companies with a higher volume of payments. When merchants sign a contract with a payment processor, they agree to be subject to fines if they fail to maintain PCI DSS compliance. Very large companies may be required to undergo assessments conducted by third parties even if they haven't suffered a breach. ![]() Merchants may be required to undergo (and pay for) an assessment to ensure that they've improved their security, which we'll discuss in more detail later in this article they may also be required to pay fines. For those merchants, PCI DSS compliance mainly becomes "mandatory" in retrospect: if a breach occurs that can be traced back to a failure to implement the standard correctly, the merchant can be sanctioned by their payment processors and the card brands. ![]() Compliance with it is mandated by the contracts that merchants sign with the card brands (Visa, MasterCard, etc.) and with the banks that actually handle their payment processing.Īnd, as we'll see, for most companies compliance with the standard is achieved by filling out self-reported questionnaires. PCI DSS is a security standard, not a law. But we should pause here to talk about what we mean by "mandatory" in this context. PCI DSS compliance became mandatory with the rollout of version 1.0 of the standard on December 15, 2004. ![]() Some have argued that the credit card and payment companies that make up the PCI Security Standards Council use PCI DSS to shift security responsibilities and the financial burden of breaches onto retailers. As we'll see, compliance can be quite complex, and it's difficult to say with certainty that every aspect of an organization's security is compliant 100% of the time. PCI DSS, the most wide-ranging of the Council's standards, applies to "any entity that stores, processes, and/or transmits cardholder data," which means that any organization that accepts credit card payments-which is to say, any virtually any organization that sells anything or accepts donations-must adhere to the standard.Ĭompliance with PCI DSS represents a baseline of security, and is certainly not a guarantee against being hacked. The Council lays down several security standards that organizations in different industry segments must implement: for instance, PCI PTS covers manufacturers of PIN-based devices, and PCI PA-DSS governs software developers writing code that manages cardholder data. The PCI Security Standards Council was created by these industry players to make sure that transactions involving credit card numbers are secure as possible. Because banks and other credit card issuers will generally refund their customers in these situations, they have a vested interest in ensuring that credit card numbers remain secure as they are transmitted across the economic ecosystem. Credit and debit card numbers are probably the most valuable sequences of digits around: anyone with access to them can immediately make fraudulent purchases and drain money from user accounts. ![]()
0 Comments
Leave a Reply. |