PCI DSS and the consequences

Why Do You Need PCI DSS?

PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically. It also covers manual processing and storage.

Although not a legal requirement, compliance with PCI DSS standards is a requirement by Visa, MasterCard and American Express, as well as merchant account providers such as Barclaycard, HSBC, RBS WorldPay and Lloyds TSB. These merchant account providers are required to report the status of merchant account holders to Visa, MasterCard and American Express, who will, if found, enforce hefty non-compliance fines.


What Happens If You Do Not Comply With PCI DSS?

Failure to comply with the PCI DSS standards will result in fines. The below schedule details the fines that will be levied, and as they are part of all merchant agreements, they are enforceable by your merchant account provider on behalf of Visa, MasterCard and American Express.

The below figures apply to Level 4 merchants only. If you are a level 3, 2 or 1 merchant the fines can be higher. For further clarification on fine details, please refer to your merchant account provider.

Non-compliance will result in card scheme fines being passed onto you, monthly non-compliance fines, and/or termination of your card processing facilities. The costs involved after a data security breach can be extremely high.

In the event of a data compromise, MasterCard and Visa rules require that a forensic investigation will take place. This can potentially cost you thousands of pounds with no upper limit. Following the results of the investigation, the card schemes will submit the following fines.


MasterCard


$25   per card that needs re-issuing
$5   for each potential compromised card being monitored
$100,000    additional maximum of fine per incident
$100,000    for storage of the card security code (CSC) also known as CVC2, CV2 or CVV2.


Visa


€10,000  Initial Penalty of
€5,000 Insufficient remediation
€10,000 Monthly violation fee
€15,000 Monthly violation fee after 5 months



Note


The card schemes retain the rights to modify these fines and charges at any time. All fines are charged in the stated currency to avoid any conversion discrepancy.

In the event that you do not process payments on your website, but transact them through a third party or Payment Gateway provider, you technically may not need to be PCI DSS compliant, but would need to be PA DSS compliant. As 'best practice' it is recommended that you comply with PCI DSS requirements, and if needed PA DSS requirements. Adherence to these security standards will protect you against the potentially unlimited fines that could be imposed upon you should the worst happen. Implementing these measures now are certainly a better solution than trying to defend your business on a technicality later.