Payment Card Industry (PCI) compliance is a beast, and implementing data security best practices requires work from hard-to-acquire talent. This can lead to an unintended breach of privacy in even the most security-conscious company.
Since sometimes these breaches are obvious to the customer or end-user, a company may be notified or reported for a PCI DSS violation. It’s important to understand that being reported is less about punishing a merchant or service provider with PCI DSS fines and more about securing PCI data, such as credit card numbers and cardholder names, to reduce fraud and prevent a severe data breach.
Keep reading to learn the essentials related to being notified of a PCI violation and what steps you can take in the event of a breach.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of data security standards designed to protect consumer data - specifically cardholder numbers and other sensitive information.
This Data Security Standard was founded in 2006 by the Payment Card Industry Security Standards Council (PCI SSC), a group made up of major payment card companies such as American Express, Discover Financial Services, Visa, Mastercard, and JCB International.
To become PCI DSS compliant, merchants and service providers must abide by its 12 requirements, including numerous sub-requirements designed to minimize cybersecurity threats. Merchants and service providers are required to maintain PCI Compliance if they store, process, transmit, or have the ability to affect the security of cardholder data.
What counts as a PCI DSS violation?
Violating PCI DSS compliance is easier than you think, especially if proper systems aren’t in place for handling sensitive data. While these violations are usually unintentional, they can put PCI and PII information at risk.
Some common PCI breach scenarios include:
- Credit card information or other cardholder data in clear public view, such as on a desk or computer screen.
- If on paper, the credit card information is stored in unlocked or unsecured cabinets.
- Your point-of-sale system is connected with other systems that also lack adequate PCI protections.
- Customer and employee usernames and passwords are not adequately protected.
As you can see, a PCI breach can easily be due to an unintentional slip or simply not understanding how data security works. That’s one of the reasons for having a strong compliance team - either in-house or outsourced - when creating your systems and processes.
PCI DSS violation reporting - as easy as 1, 2, 3...
The reason you may end up finding yourself on the other end of a PCI DSS violation report is that it’s very simple for someone to report you. The steps someone can take to report a violation are:
-
Contact the merchant or service provider (that’s you). Depending on the extent of the PCI breach, you may be able to solve the situation yourself. For example, if the person reporting the issue noticed credit card information in public view, you may need to offer further training for employees on data protection. Be sure to follow-up with the person reporting to let them know what steps you’re taking to remedy the situation.
-
Report the PCI non-compliance to the merchant’s credit card processor. They may also alert their credit card companies (Visa, MasterCard, etc.)
-
If the person reporting feels that their payment card information has been compromised, they will likely contact their bank and ask them to cancel their card.
Steps once you’ve been notified of a PCI DSS violation.
If you are a merchant or service provider who has been compromised, it is essential that you take care to safeguard your systems immediately. Outside of notifying American Express, Discover, MasterCard, and Visa of a security breach within 24 hours, you will need to lock down your systems.
Some steps you can take to minimize exposure are:
- Telling your bank that you have been compromised.
- Locking down the compromised system. No one should be able to access or alter it.
- Unplugging your network cables but keeping your systems on.
- Backing up your systems.
- Logging everything that you do and preserving those logs.
- Halting transactions, unless advised otherwise by an experienced data security consultant.
- Taking a point in time snapshot of your systems for forensic analysis.
What happens if you are reported for PCI non-compliance?
Businesses found to be in non-compliance can be subject to hefty PCI DSS fines. The fine amount varies depending on many factors, including the scope of exposure and degree of non-compliance. Penalty PCI DSS fines can range from $5,000 to $100,000 per month. These fees can also be increased based on how long a company continues to be non-compliant. Those who are not compliant within seven months can expect to pay up to $100,000 per month until they meet PCI DSS requirements.
It is important to note that PCI DSS fines are levied based on compliance violations, not necessarily a data breach.
For businesses relying on service providers for transactions, it is essential to make sure your agreement includes compensation for potential PCI DSS fines or other damages in case they are the cause of the compromise.
Never worry about PCI DSS violations again.
Maintaining PCI DSS requirements are expensive and labor-intensive. But there are ways to shift your liability in case of a data breach and reduce your PCI scope while using cardholder data. The Zero Data approach to PCI compliance allows you to use data without ever seeing or touching the raw information - thus preventing a PCI breach or violation. Check out how Fivestars uses Zero Data to power its loyalty program in this case study.
