If in your organization, company or business you take credit card data from your users or customers, this is of interest to you: the fact of failure to comply with PCI DSS payment tag requirements can result in significant financial penalties.in addition to other serious problems.
While it is true that Spanish legislation is still obscure on these matters, the rules of Visa, Mastercard and Co. are crystal clear. There is a safety standard, and if it is not met, heavy penalties apply. The idea you should keep in mind is that without proper security measures you are exposed to them.
Who is the PCI SSC and what is the PCI DSS?
First of all, we will clarify the basics about who is who in this labyrinth of credit card payment security. The PCI SSC is the Payment Card Industry Security Standards Council, a consortium formed in 2006 by the world’s leading payment brands; Visa and Mastercard, of course, but also American Express, Discover and JCB International.
The PCI DSS is the PCI Data Security Standard. In other words, it is the set of rules that must be followed by anyone who stores, processes or transmits credit cardholder data supported by these entities. If you use bank card data, check your contract, because you are one of them.
In principle, these rules affect the financial institutions with which card payment service providers (e.g. merchants) work. In the event of a breach of the rules, these banks usually do not hesitate to pass on the costs to your organization.
The mosaic of card payment security
We know that it is not easy to find one’s way in this small compliance labyrinth full of small (and not so small) casuistries. So first of all, we have put together for you the main ideas on the subject, which should be very clear to you:
- Although there are common security standards, each payment brand has its own compliance program.
- These programs define the categories of service providers and their validation requirements , as well as the conditions and amounts of penalties.
- There are different penalties for different categories, which also vary depending on the type of rule that is broken and whether it is considered deliberate.
- Financial penalties are usually progressive (i.e. the penalty increases over time if not remedied).
- There are other non-financial penalties, such as withdrawal of POS or cancellation of contracts; other costs generated by the forensic investigation may also be incurred.
How much money are we talking about? The Visa case
We cannot tell you the exact amounts, as it depends on each payment brand you work with and your bank. The ideal way to have a solid foundation is to start from the PCI SSC documentation.
But we do want you to be able to see some actual tables for the major brands . Remember that you can consult them in this document (sections 1.12.2.2 and 1.12.2.8).
And as for Mastercard…
Mastercard’s penalties are much clearer, but equally painful, and we bring them to you here (and you can consult them in this Mastercard document, section 10.3.4).
In conclusion: a couple of examples
Suppose Visa discovers that we are not complying with one of its core rules. The first thing you will do is send us a warning letter requesting a solution within a certain period of time. If we do not pay attention within the deadline, the penalty will be $25,000; if 30 days have passed since the expiration of the deadline, the amount rises to $50,000, and if we exceed 90 days, we are talking about $150,000, doubling every month.
Let us now assume that Visa considers the breach to be ‘wilful’. In this case, the warning letter will result in a penalty of $50,000. Let’s imagine that the response date expires and, although we remedy the non-compliance, we are back in business in less than a year; in that case, we are talking about a penalty between US$100,000 and US$1,000,000.
In any case, and to try to end on a positive note, these penalties depend on the willingness of the paying brand and often the brand can agree to reduce or waive them, especially if we act with transparency, speed and goodwill. But, in any case, it is better not to put it to the test.
Lack of security in card payments is costly
All this is assuming that there is no real leakage of the data of the users you work with; if so, the situation would be much more complicated still. No matter how you look at it, it is not worth forgetting about safety.
