Special Report Payment and Collections
What are the penalties for non-compliance, and when do they apply?
Fines can be as much as $500,000 per incident, and violators potentially may be prohibited from participating in card association programs. To date, fines have been assessed after an organization has been hacked and a forensics investigation reveals that the organization was not PCI compliant at the time of the incident.
How can I comply? Do I have any proactive audit or verification requirements?
Organizations that process large amounts of data are required to engage an approved third-party security assessor to proactively validate compliance.
If you're a merchant and you process more than 6 million card transactions per year, you're required to hire a third-party assessor to perform an annual on-site security audit and perform quarterly security scans of systems visible from the Internet. If you process less than 6 million total transactions, but more than 20,000 e-commerce transactions per year, a third-party assessor must perform the quarterly security scans and you must complete a self-assessment based on a standard questionnaire.
If you are a service provider and store, process or transmit more than 1 million transactions per year, a third-party assessor must perform an on-site security assessment and quarterly security scans. If you fall below the 1 million threshold, you still are required to perform the quarterly security scans and complete a self-assessment.
Most importantly, don't lose sight of the objective. Many organizations focus on a successful PCI audit. The real focus should be on developing a security program that can meet PCI requirements 24 hours a day, 365 days a year. Passing an audit does nothing to reduce PCI liability. In particular, any misrepresentations on the audit can create issues if a security incident later exposes them. For example, CardSystems, a payment processor compromised earlier this year, had successfully passed a PCI audit and was on Visa's approved service provider list. However, a subsequent forensics investigation showed CardSystems was out of compliance at the time of the security incident. In response, Visa effectively put CardSystems out of business by revoking its ability to process Visa transactions.