Apparently only 9% of the UK’s level 1 retailers are confirmed as being PCI:DSS compliant, and most of these are virtual retailers, who most likely have a slightly easier task at becoming and demonstrating compliance.
So with the fact that organisations still seem to be lacking, VISA and MasterCard are apparently taking steps to up their game and apply some more pressure / persuasion. I know what your thinking, most likely the same as me. We have heard it all before, and with disclosure being the way it is we dont get to hear about it anyway.
So what does this mean. Well the fines are starting to flow, many organisations are being fined (apparently a little under half a million a month), as well as taking steps to prevent acquirer hopping which is common if an organisation is getting to much hassle, they simply jump ship to another. Now if organisations are suspected of doing this to dodge regulation they are effectively black listed.
Of course I cant prove this is happening, same as no one else can because disclosure laws dont allow for it, and companies are not going to be actively publishing this on their sites, and customers I have worked with obviously share information under NDA.
All you can be sure of is the fact that companies are making progress, but its slow and non impressive, and obviously isnt a big enough priority. To provide encouragement fines are and will continue to be handed out, and they will be increasing. It can sometimes be hard to find out about the fines, so here is the current schedule of fines, correct on 2nd Feb 2010.
Fines are represented in US Dollar and Euro respectively
MasterCard fines for non compliance are:
Level 1 & 2 Merchants
- First Violation â€“ Assessment Amount: Up to 25,000
- Second Violation â€“ Assessment Amount: Up to 50,000
- Third Violation â€“ Assessment Amount: Up to 100,000
- Fourth Violation â€“ Assessment Amount: Up to 200,000
Level 3 Merchants
- First Violation â€“ Assessment Amount: Up to 10,000
- Second Violation â€“ Assessment Amount: Up to 20,000
- Third Violation â€“ Assessment Amount: Up to 40,000
- Fourth Violation â€“ Assessment Amount: Up to 80,000
Visa expects level 1, 2 and 3 merchants to demonstrate that they are actively engaged in the programme to become compliant. A merchant will not be at risk from Visa fines for non-compliance if they are compliant with milestones 1-4 of the Prioritised Approach