Payment Card Industry Data Security Standards
Pat Morin, Risk and Business Advisory Principal
Any company that is involved in the processing of credit card transactions is, or should be aware of the Payment Card Industry [PCI] Data Security Standards [DSS]. Credit card companies have gotten serious about compliance with these standards – merchants and service providers are subject to considerable penalties if the standards are not met. Penalties can include steep fines, increasing according to the number of violations that occur:
- First offense - $50,000 fine
- Second offense - $100,000 fine
- Third offense – discretionary, up to $500,000 fine.
Potentially more significant, penalties can include the loss of card processing privileges.
The DSS requirements are the same for all credit card merchants and service providers; however, the process to assure compliance with the PCI DSS varies depending on role and size of the merchant.
Specifically, the PCI DSS consists of 12 subcategories including such protections as the installation of firewalls, no use of default passwords, encryption of all data transmissions, anti-virus system installation, a unique identifier for each user, regular testing of security systems and processes, and other requirements.
Compliance validation may include annual on-site review, annual self-assessment, quarterly security scan or annual security scan. The reviews and scans may need to be performed by licensed third parties.
Compliance is mandatory – the process for achieving compliance is clearly defined. Merchants and service providers could experience interruptions in credit card processing or face significant financial penalties for failure to comply.