Tuesday, October 13, 2009

Some PCI Compliance Facts

What is PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

To whom does PCI apply? PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data (including non profits).

PCI compliance deadline? All merchants that store, processes or transmit cardholder data must be compliant now.

What are the PCI compliance ‘levels’? All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period.

Merchant Level Description

1 Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

2 Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.

3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.

Level 4 merchant: You will have to refer to your merchant bank for their specific validation requirements and deadlines. All deadline enforcement will come from your merchant bank

Does PCI apply if I only accept credit cards over the phone? Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

I’m in Canada do I have to worry about it? Canada’s deadline has come and gone. Both Canadian and UK merchants are required to be PCI compliant.

Is PCI compliance expensive? No, but non-compliance can be catastrophic. Non-compliance doesn’t just result in lofty fines, credit card replacement and audit fees. Consider the loss of business reputation and revenue.

70% of the cost of non-compliance was due to the loss of revenue!

What are the PCI Compliance Fines?

  • $3 to $10 per card for replacement costs
  • $5,000 to $50,000 (or more) in compliance fines
  • The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks then pass the fines down to the merchant. The bank is likely to either terminate your business relationship or increase your transaction fees.

The average cost of a data breach for a Level 4 merchant averages $36,000 and can be as high as $50,000 (or more) for failure to meet PCI compliance.

No comments:

Post a Comment