Enforcement of the PCI DSS

The following FAQ’s answer common enforcement question and have been sourced from the PCI DSS website. Answers in italics have been sourced from the PCI DSS website.

1. What are the consequences to my business if I do not comply with the PCI DSS?

   "The PCI Security Standards Council (PCI SSC) encourages all businesses that store payment account data to comply with the PCI DSS to help reduce the risks to their brand and their finances associated with account payment data compromises. The PCI SSC does not manage compliance programmes and does not impose any penalties for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial or operational penalties for certain businesses that are not compliant."

2. How long does a merchant have to become compliant with PCI DSS version 3.2?

   PCI DSS version 3.2 was released in April 2016 and companies will be required to comply with the new version by 31 October 2016, when PCI DSS v.3.1 will be retired.

3. Can an entity be fined if it is compliant with the original PCI DSS but not the latest version?

   "All compliance programs including, but not limited to, fines, are managed individually and distinctly by the payment brands".

4. Are there any plans to make compliance easier for small to medium-sized merchants?

   "All merchants must comply with the same Standard to be considered compliant with PCI DSS version 3.0 . Approaches for validation of compliance differ based upon merchant size and are determined based upon levels set individually by the payment brands. The PCI SSC will support future work efforts intended to build technical guidance and other tools into the self-assessment questionnaire."

   This all means that each payment provider will take whatever action it thinks commercially viable to enforce the PCI DSS.

5. What are the penalties for non-compliance?

   “There are no standardised penalties across all the payment brands, and the PCI SSC has no plans to create any. Each brand will require separate evidence of compliance and, given that the original dates for compliance have now all passed, is likely to set different dates for different entities to demonstrate compliance to different levels. The acquiring bank is usually the best channel through which to discuss compliance deadlines and penalties, which are all imposed by means of the payment brand’s/acquiring bank’s contract with the merchant.”

6. Will outsourcing our card facilities make us compliant?

   “Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder data when you receive it, and process chargebacks and refunds. You must also ensure that providers’ applications and card payment terminals comply with relevant PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.”

7. Will PCI compliance ensure we do not suffer a breach?

   “Successful completion of a system scan or assessment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure the safety of cardholder data.”

8. Should we be compliant even if we hardly ever process credit cards?

   “PCI compliance is mandatory for any business that accepts payment cards – even if the quantity of transactions is just one.”