Compliance with the Payment Card Industry Data Security Standards (PCI DSS) is critical to securing credit and debit card payment transactions. Organizations in the PCI industry deemed non-compliant with PCI DSS requirements may be subject to steep fines, ranging anywhere from $5,000 to $50,000 monthly, depending on the length of violation and compliance level. However, you can dispute fines for PCI non-compliance.
How Can You Dispute Fines for PCI Non-compliance?
PCI non-compliance is assessed by individual PCI Security Standards Council (SSC) stakeholders, including Founding Members Visa, Mastercard, American Express, JCB International, and Discover. However, each SSC stakeholder has different processes for organizations looking to dispute fines for PCI non-compliance.
Your organization can dispute fines for PCI non-compliance by:
- Initiating a PCI non-compliance assessment dispute
- Providing evidence of PCI compliance
PCI compliance may not completely protect you from costly PCI data breaches; however, it significantly minimizes the risk, especially with the help of a managed compliance security advisor.
Initiating a Dispute for PCI Non-Compliance Fines
You can dispute fines for PCI non-compliance by determining the appeal requirements for your specific card issuer. SSC stakeholders generally allow all organizations to file appeals. However, the exact appeal process is specific to individual SSC stakeholders.
Two of the SSC Founding Members, Visa and Mastercard, stipulate the below requirements for organizations processing card payments:
- Per the Visa Core Rules and Product and Service Rules (Section 126.96.36.199), participants in Visa’s system have a right to appeal non-compliance assessments if they can:
- Demonstrate a violation of PCI DSS requirements did not occur, based on new evidence that was not previously available
- Submit an appeal letter to be received by Visa within 30 calendar days from when the participant received notification of violation or non-compliance assessment
- Provide evidence of new or additional information to support the request for an appeal
- Provide a fee of $5,000, assessed upon receipt of the appeal and refundable if the appeal holds true
- Per the Mastercard Rules (Section 2.1.4 to 2.1.6), participants may initiate a review of non-compliance assessment by submitting a request, by email and in English, to the Corporation’s Chief Franchise Officer, within 30 calendar days of receiving the assessment. Appealing organizations should note that :
- The review of the non-compliance assessment dispute may be subject to a $500 fee.
- The Chief Franchise Officer to whom the dispute is submitted may take discretionary action and may choose not to act altogether.
- The Chief Franchise Officer may also delegate the review process for the non-compliance dispute, and in such instances, would require full cooperation from the affected organization.
Note that all appeal decisions and recommendations made by Visa and Mastercard are considered final.
While these requirements provide a general sense of what to expect when disputing fines for PCI non-compliance, working with an experienced advisor can help your organization navigate the complexities of filing a dispute.
Demonstrating PCI Compliance to Dispute Fines
Evidence of PCI compliance is the most critical component to a successful appeal. The most common ways to demonstrate PCI compliance involve auditing and assessing your organization’s PCI compliance.
PCI Compliance Auditing
The first way to demonstrate PCI compliance is to pass an annual vulnerability scan of your organization’s cardholder processing systems. An external scan conducted by an Approved Scanning Vendor (ASV) can identify any cybersecurity vulnerabilities in your organization’s systems, specifically those related to PCI DSS compliance.
Following a successful audit, a PCI DSS ASV completes a scan report to show that a given organization complies with PCI DSS requirements. Working with a certified ASV can help your organization avoid fines for PCI non-compliance, among other legal, financial, and reputational consequences, as observed in recent PCI breaches where millions of cardholder records were compromised.
PCI Compliance Assessment
Another way to demonstrate PCI compliance is by assessing your organization’s implementation of the 12 PCI DSS Requirements and associated sub-requirements.
Assessment of and reporting on PCI compliance depends on an organization’s PCI level. It could be as simple as completing a Self-Assessment Questionnaire (SAQ) to validate and self-report on compliance. However, the largest organizations subject to the PCI DSS must undergo a Report on Compliance (RoC). RoCs involve rigorous, on-site evaluation of all DSS controls to ensure CHD remains secure.
A Qualified Security Assessor (QSA) must fill out both the AoC and RoC. They can also review any findings from an SAQ, help identify compliance gaps and possible PCI breach vulnerabilities, and advise remediation efforts.
Maintain PCI Compliance, Avoid Fines and Penalties
Consistent assessment and auditing of your organization’s CHD processing systems can help achieve ongoing PCI DSS compliance. Rather than waiting to dispute fines for PCI non-compliance, your organization can work with RSI Security, an experienced QSA and ASV, to achieve and demonstrate up-to-date PCI compliance.
We can advise on best practices for maintaining PCI compliance and helping your organization minimize risks to sensitive customer data. To learn more, contact RSI Security today.