What you the merchant MUST know is – currently both VISA and MasterCard require merchants (and acquirer processors, like us here at JetPay) to be PCI DSS validated. Card Issuing Banks don’t need to be, interestingly – but they must secure sensitive data in a similar compliant manner.
Here’s the catch though – if you are subject to or fall foul of a security breach and you are NOT PCI DSS compliant at the time of the breach VISA & MasterCard will hit you with heavy, expensive penalties. These penalties generally fall into two categories: Non-compliance and Account Data Compromise (ADC).
Fines may be applied because of lack of progression towards PCI DSS compliance or for storing Sensitive Authentication Data (SAD); the fines can be levied every month and the value escalates if associated deadlines are missed. Typically non-compliance fines range from €4,500.00 to €9,000.00 per month plus anything up to €100.00 per compromised card – sometimes considerably more.
“…Back in 2008, Lisa White, a PCI DSS expert at Deloittes estimated that if your customers credit card details fell into the wrong hands you could expect some serious fines. She suggest that a merchant with 10,000 customer cards would have to pay fess of around 5 Euros per card (€ 50,000.00) with investigation costs of anything from €30,000.00 upwards PLUS an average fraud of €1,000.00 per card. Add the cost of card replacement and obligatory chargeback fees – and that breach of a modest 10,000 customer details carries a fine of 11 MILLION Euros!! That is frightening!..”
Account Data Compromise (ADC)
An ADC is when a person or group gain unauthorised access to the cardholder data that is held within your business environment in either electronic or physical form. It can be identified in a number of ways but it is usually detected as a common point of purchase before cards are used fraudulently elsewhere. Once a potential ADC has been reported a PCI forensic investigator must come onsite to determine the source of the compromise and quantify the amount of cardholder data that has been stolen.
If you become the subject of an ADC you risk stiff financial penalties, the suspension or termination of your merchant facility, damage to your brand and reputation and having to undertake additional ongoing audit tasks. There have been, and continue to be, many examples of ADC events worldwide and they have been experienced by all types of business small and large. It is important to recognise that criminals do not target any particular type of business, if there is an identified weakness and they can exploit it, they will.
“..a US based 2009 Ponemon Institute study concluded during its review of 45 data breach events in the previous year that the least expensive total cost to resolve a U.S.- based data breach event was $750,000 and the most expensive was $31 million. For issuers, acquirers, and their customers, efforts to blunt or at least mitigate and quickly remedy a breach event have an obvious impact on the bottom-line.”