Understanding PCI compliance fines: Who is in charge of enforcing PCI?

Get a copy of the upcoming book "Secure Operations Technology"

If your business stores, processes, or transmits data from payment cards, then you are subject to the requirements of the PCI DSS. This set of security controls is designed to help merchants combat data theft, protecting both consumers and merchants’ own reputations. When a business fails to satisfy those rules, they can be subject to significant financial penalties. But who exactly is in charge of enforcing PCI?

This is a point of confusion for many merchants. The answer explains a great deal about how PCI actually works.

Rule, not law
Given PCI’s large penalties – often from $5,000 to $100,000 a month – and widespread requirement, it would be understandable to assume that it was a government regulation. But in fact, PCI is a purely industry-driven rule. It was created in the first years of the twenty-first century as a collaborative effort between the major card brands.

The card brands had a strong impetus to fight card data theft and fraud. Customers were responsible for the first $50 of any fraudulent charges made in their name, but the card brands were responsible for any additional expenses. With this direct financial motivation, the companies created the PCI Security Standards Council, an independent organization that would maintain and update the PCI DSS over time as well as teach merchants and banks about them.

Those duties did not include fining merchants. That responsibility falls to another critical player in the PCI process.

Acquiring banks and PCI
If you are a merchant, your acquiring bank is the bank that processes credit cards on your behalf. And it is this party that will impose fines on you if you are found to be out of compliance with PCI.

What is the acquiring bank’s interest in your PCI compliance status? In short, they are directly answerable to the PCI Security Standards Council. If one of their merchants is found to be out of compliance, the bank will be fined in the high amounts mentioned earlier – up to $10,000 or more until the merchant gets in compliance. The bank may then pass those penalties on to you, the merchant.

Here’s why it’s important for merchants to know precisely how PCI DSS is enforced. Since your acquiring bank bears the initial brunt of any penalties you might incur, they may choose how to measure your compliance. They may take one of two approaches:

  • Requiring that you complete a checklist on your own to demonstrate compliance
  • Requiring that a Qualified Security Assessor (QSA) perform a complete audit of your business.

The most beneficial style of reporting for your business may vary – a QSA will deliver greater peace of mind through comprehensive expertise, but a self-reporting checklist may be easier.

It is a good idea for all merchants to speak with their acquiring banks about PCI compliance demonstration. For additional resources, see this page set up by the PCI Security Standards Council for medium and small businesses. The more you know about your PCI responsibilities, the better prepared you will be to defend your business and your consumers against fraud and theft.