Apparently only 9% of the UK’s level 1 retailers are confirmed as being PCI:DSS compliant, and most of these are virtual retailers, who most likely have a slightly easier task at becoming and demonstrating compliance.
So with the fact that organisations still seem to be lacking, VISA and MasterCard are apparently taking steps to up their game and apply some more pressure / persuasion. I know what your thinking, most likely the same as me. We have heard it all before, and with disclosure being the way it is we dont get to hear about it anyway.
So what does this mean. Well the fines are starting to flow, many organisations are being fined (apparently a little under half a million a month), as well as taking steps to prevent acquirer hopping which is common if an organisation is getting to much hassle, they simply jump ship to another. Now if organisations are suspected of doing this to dodge regulation they are effectively black listed.
Of course I cant prove this is happening, same as no one else can because disclosure laws dont allow for it, and companies are not going to be actively publishing this on their sites, and customers I have worked with obviously share information under NDA.
All you can be sure of is the fact that companies are making progress, but its slow and non impressive, and obviously isnt a big enough priority. To provide encouragement fines are and will continue to be handed out, and they will be increasing. It can sometimes be hard to find out about the fines, so here is the current schedule of fines, correct on 2nd Feb 2010.
Fines are represented in US Dollar and Euro respectively
MasterCard fines for non compliance are:
Level 1 & 2 Merchants
- First Violation – Assessment Amount: Up to 25,000
- Second Violation – Assessment Amount: Up to 50,000
- Third Violation – Assessment Amount: Up to 100,000
- Fourth Violation – Assessment Amount: Up to 200,000
Level 3 Merchants
- First Violation – Assessment Amount: Up to 10,000
- Second Violation – Assessment Amount: Up to 20,000
- Third Violation – Assessment Amount: Up to 40,000
- Fourth Violation – Assessment Amount: Up to 80,000
Visa expects level 1, 2 and 3 merchants to demonstrate that they are actively engaged in the programme to become compliant. A merchant will not be at risk from Visa fines for non-compliance if they are compliant with milestones 1-4 of the Prioritised Approach
- Confirmation of compliance not received within 30 days of notification letter
– Assessment Amount: €5,250 - Confirmation of compliance not received within 90 days of notification letter
– Assessment Amount: €10,500 - Confirmation of compliance not received within 120 days of notification letter
– Assessment Amount: €26,250
The merchant will continue to be assessed €26,250 every 30 calendar days until compliance is achieved
Further fines will be applied if you suffer an actual data compromise and are found to be non compliant with PCI DSS.
Fines for Merchant Data Compromise
MasterCard fines for an account data compromise consist of several elements:
- Case Management Fee – this fee goes towards recovering costs related to administering ADC events, and is based on the type and complexity of the case, along with the number of cards involved. The minimum fee ranges from USD 2,500 to USD 150,000.
- Forensic Investigation – the merchant may be required to engage a third party forensic investigator at their own cost, in order to investigate the cause and extent of the problem.
- Dependant on the number of cards compromised, card issuer losses, and monitoring costs, further charges may also be passed onto merchants at MasterCard’s discretion.
- MasterCard also retains the right to charge for other costs relating to the ADC investigation, such as legal fees.
Visa fines for an account data compromise are:
- Sufficient remediation would be satisfied through demonstration that the following PCI DSS requirements have been implemented:
- Remove sensitive authentication data and limit data retention
- Protect the perimeter, internal and wireless networks
- Secure applications
- Protect through monitoring and access control
- Removal of CVV2 data must be achieved with 30 days
- The initial fine assessment of €2,500 would only apply for compromises notified to acquirers until October 31 2009 and will also apply to e-commerce merchants in Level III in the same period.
- Visa may also pass on issuer reimbursement of fraud losses which is unlimited and dependant on each individual issuer’s claim.