PCI Compliance – Why Merchants Need to Take It Seriously – Part 1

PCI Compliance Part One

PCI Compliance Part One 
Having a merchant account comes with responsibility.  While a merchant may be concerned with revenue and how to grow its business, payment card industry (PCI) compliance should be at the top of the list as well.  The main purpose of PCI compliance is data security, which applies to any party involved in processing credit card transactions.  Not following the rules – or practicing risky activities – can result in card association fines and can also put a merchant account in jeopardy of being terminated – not to mention data breaches that may occur.  A merchant account termination can be detrimental to any business accepting credit cards – especially if they operate purely online.

The Importance of PCI Compliance

According to Privacy Rights Clearinghouse.org, more than 346 million records with sensitive information have been breached since January 2005.  According to the Ponemon Institute’s annual study, the cost of a data breach was $204 per compromised customer record for 2009.  The data, obtained from 45 companies that publicly acknowledged – and were willing to discuss – a breach of sensitive customer information.  The study also revealed that the average total cost of a data breach was $6.75 million in 2009.

Most laws involving credit card fraud and data security breaches target the criminals who conduct the breaches and obtain the card data.  Although, state attorney offices have investigated and filed suits against companies who were found to be non-compliant during a data breach.  In an effort to stay ahead of the curve, the only way the card associations are able to enforce the security standards is to penalize those who do not comply and/or jeopardize data protection.

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization or merchant that accepts, transmits or stores any cardholder data.  The PCI DSS was created in 2004 by the PCI Security Standards Council (SSC), which include the major card brands – otherwise known as associations – American Express, Discover, JCB, MasterCard, and Visa.  Each card association stipulates that the PCI DSS, in addition to the individual association guidelines, must be followed in order to be fully compliant.  Achieving PCI compliance means that you have met the technical requirements of the PCI DSS.

Consequences of Non-Compliance

Non-compliance can result in fines or other actions by the card associations.  Even though the PCI SSC managed the PCI DSS, any fines levied for non-compliance are done so by the card associations, not by the security council.  The card associations usually fine the acquirer under which the non-compliant merchant processes transactions.  The acquirer then passes the fine onto the merchant, ISO or third-party.  However, a merchant can be fined or terminated directly by the card association.

“T.J. Maxx agreed to pay as much as $40.9 million in a settlement with Visa.”

The amount of the fines and fees are dependent upon the type of activity.  A breach of data would cost a merchant a lot more than if they were discovered to be non-compliant with no data breach.  For example, in the largest data breach thus far, T.J. Maxx (TJX) agreed in November, 2007, to pay as much as $40.9 million in a settlement with Visa and the bank that processes the company’s credit card payments, as a result of a massive data breach, discovered in 2006, of TJX’s customer records.  (TJX admitted to 45.7 million compromised records, but court filings by the banks suing TJX estimate that about 100 million cards were affected.)  The settlement funds were reported to be used to help the U.S. credit card issuers (i.e. banks) recover costs related to the breach.  Last year, they agreed to pay $9.75 million to settle investigations by 41 state attorney generals.  That settlement was the sixth one that TJX announced regarding the breach.  Visa originally fined Fifth Third, TJX’s acquiring bank, close to $900,000 for non-compliance.  $500,000 was assessed “due to the seriousness of this security incident and the impact on the Visa system,” according to aBoston Globe report. $380,000 was assessed for “TJX’s failure to cease storing prohibited data.”

Visa announced, following the TJX breach, that it began fining level one merchants (6M + transactions annually) $25,000 per month if they fail to comply with the PCI DSS.  Although this information is relative to the largest data breach in U.S. history, merchants of every level should take these actions very seriously to avoid risking loss of data, not to mention customer confidence.

How Does Account Termination Affect A Merchant?

So, your processor terminated your account.  You may ask, “What’s the big deal?  I will just get a new merchant account elsewhere.”  Well, it’s not as easy as it sounds.  A merchant who has been terminated is put on MATCH, more or less known as a blacklist in the credit card processing industry.  Formerly known as the TMF (Terminated Match File), the MATCH (Member Alert to Control High-Risk) list is a file of merchants who have been terminated for “cause”.  Reasons include activities such as fraud or excessive chargebacks.  (See a previous blog on this subject here.)  The list is used primarily by acquirers to assess the risk of a business when it applies for a merchant account.  It is tied to MasterCard and Visa, so all acquirers check the MATCH file against any new merchants who apply for an account.  (It’s rare, with the exception of Costco for instance, for a merchant to accept other cards but not MasterCard and Visa.)  A MATCH listing includes the company name and principal names of the company, but a company’s inclusion on the list does not mean it, or its principals, would be prohibited from obtaining a merchant account again.  Acquirers use the MATCH file as an informational tool and will usually base a merchant application approval or denial on a complete investigation.  Once a merchant is on the MATCH list, it is almost impossible for them to removed, but it can be done.

Stay tuned for Part II, which will discuss who is really responsible for PCI compliance, working with third party service providers and how to avoid fines, MATCH and account termination.

Contact us Now or Call Us Now at 855-204-3838 and see how we can help you!  Do it Now!