Blog Post
Not yet PCI compliant? The fines begin January 1, 2015
If you’re a 3rd party service provider handling any cardholder data, or a merchant processing more than 1 million transactions per annum this latest news from Visa is relevant for you.
Visa has reiterated that PCI compliance must become a high priority for service providers and level 1 / level 2 merchants, and warned that failing to demonstrate compliance by January 1 2015 will result such as large fines of up to $25,000/month USD ($300k pa) and removal from the Visa Global Registry of Service Providers.
This strong position from Visa is not surprising given the frequent occurrence of large-scale data breaches recently, with the latest data breach being announced this week by another large company, United Parcel Service (UPS), which was reported to impact 105,000 transactions across 51 stores across the United States.
If your executive has continued to question the cost of PCI compliance and the value it delivers, there are now plenty of real-life examples of why a data breach is something you absolutely want to avoid. In a recent Forbes article, Target is reportedly still reeling from the effects of the December 2013 data breach, slashing its second-quarter earnings per share guidance from $0.85-$1.00 to $0.78, citing the data breach as well as debt retirement expenses as primary reasons. So far this breach has cost the company $148 million in losses and the event potentially impacted around 20% of the entire US population (70 million cards).
Large companies are not the only ones being targeted by hackers – more than 400 data breaches have been reported in 2014 alone, and that’s not counting undisclosed data breaches, or those who are unaware they’ve been hacked- only 33% of companies find out if they suffer a breach, and the ones that do figure it out take an average of 229 days to do so.
What are the PCI non-compliance fines?
If you have are not yet compliant or have not demonstrated an acceptable remediation plan towards becoming compliant soon, the fines levied by Visa via your bank are as follows.
| Merchant Level 1 | Merchant Level 2 | |
| Monthly Fine | $25,000 | $5,000 |
Fines commence January 1 2015 for service providers and Level 1 / 2 merchants who are not compliant. The amounts shown are in USD.
In addition, Visa issues fines for Prohibited Data Storage (Track1 / Track2), which is the storage of sensitive full magnetic data.
Monthly Prohibited Data Storage Violation Fines (USD)
| Months | Merchant Level 1 | Merchant Level 2 |
| Months 1-3 | $10,000 | $5,000 |
| Months 4-6 | $50,000 | $25,000 |
| Months 7 and up | $100,000 | $50,000 |
Why are there additional fines for Prohibited Data?
Under the PCI DSS, any form of Track1 or Track2 magnetic stripe data storage is prohibited, regardless of whether its encrypted or not. The reason for this is that if a hacker can steal this information, they immediately have the ability to reproduce the physical card, sign it, and then use it for in-store shopping at physical shopfronts.
What region does this apply to?
This stricter enforcement is being rolled out globally, so it doesn’t matter where in the world you are- as long as you are a merchant under Visa, these rules apply to you, with no exceptions.
How can I avoid these fines?
As a first priority, you should become PCI compliant before this date. For many large merchants, this will involve engaging with a PCI Qualified Security Assessor (QSA) to perform a PCI onsite review.
By communicating openly with your acquiring bank and establishing a comprehensive remediation plan ASAP which your bank must approve, you can delay the fines commencing on January 1, 2015.
It is important to ensure any milestones within that plan are realistic as your bank will be required to monitor and ensure your milestones are being met on time. This is symptomatic of what many of us in the industry see – PCI compliance has been around for 8+ years now however a large number of organizations still working towards compliance and had no clear compliance date in sight.
I don’t know what to do. Who can I call?
If you’re looking for professional advice on becoming PCI compliant, the industry experts are QSAs. The PCI Council publishes a global list of Approved QSA’s who you can talk to and engage to assist you to establish a solid PCI compliance remediation plan.
Can Ground Labs help?
Yes. Whilst we don’t provide consulting services as a QSA does, we make data discovery software that is relied upon by more than 300 QSA’s use as part of validating PCI compliance.
Our products include remediation features that eliminate or secure cardholder data storage. This is a critical step towards reducing your PCI compliance scope, and ultimately removing the opportunity for hackers to steal that data. By reducing your PCI compliance scope, you reduce the amount of effort and complexity within your PCI Compliance remediation plan to avoid any PCI non-compliance fines or prohibited data storage fines mentioned above.
Take a spin with Card Recon to see how you can find insecure cardholder data including prohibited data, and then use remediation features to remove it to achieve your remediation plan.
