Pioneered by the five major credit card companies, the Payment Card Industry (PCI) established the Data Security Standard (DSS) in 2004. Since then, it’s been a major force in steering regulations in the retail industry regarding cardholder data (CHD) collection, storage, and security. But what happens when a consumer or employee decides to report PCI compliance violations regarding your organization?
Complying with the PCI DSS
Created and enforced by senior-level officials with American Express, Discover, JCB, Mastercard, and Visa, PCI DSS provides a framework for protecting CHD from virtual and physical threats. Organizations that fail to abide by these regulations face severe repercussions, including PCI compliance violation fines, potential consumer litigation, loss of business or reputation, and more.
Organizations and cardholders should familiarize themselves with reporting procedures should an incident of non-compliance be discovered:
- Who can report PCI compliance violations?
- What are the common non-compliance issues?
- What are the potential consequences and repercussions?
Who Can Report PCI Compliance Violations?
Generally, anyone can report an organization for PCI compliance violations. However, most reports come from one of the following demographics:
- Consumers – Those who have had a negative experience with your organization are most likely to report any perceived violations.
- Employees – Employees, including disgruntled workers and those in good standing, might report PCI compliance violations as a means of protecting their co-workers and consumers alike.
- Watchdog groups – Both individuals and groups, known as watchdogs, often report PCI compliance violations whenever they’re uncovered.
Common Issues With the PCI DSS
Before filing a non-compliance report, it’s important to ensure that the organization in question is in direct violation of the PCI DSS. The following scenarios are covered by the PCI DSS:
- A retailer’s point-of-sale (POS) device has been rerouted or reprogrammed to connect with an external device or system.
- Account login credentials, including usernames and passwords, are jeopardized by a direct action of the retailer or its employees.
- Paper documents are left exposed or accessible to those outside of the organization.
Although this list doesn’t cover every possible case of non-compliance, it does provide some examples of the most common non-compliance complaints in the 21st century. As a general rule, the PCI DSS is only meant to secure CHD while it’s being used, stored, received, or transmitted by a particular organization. Incidents that occur without these caveats are not indicative of non-compliance.
The Reporting Process
Consumers, employees, and watchdog groups all follow a similar process when reporting potential PCI compliance violations.
The first step typically involves contacting the offending organization. Many take these reports very seriously and will usually correct any issues independently. Most organizations can be contacted via telephone, email, or traditional postal mail.
If the offending organization fails to respond or refuses to address the non-compliance, most will report PCI compliance violations to the organization’s credit card processor. Even if the complainant doesn’t know the exact processor, they can still issue reports directly to Mastercard or Visa. Both organizations provide support via email, telephone, and online webchat.
Those who think their credit card information is compromised due to a retailer’s non-compliance should first contact their issuing bank. Any specific issues regarding non-compliance can be addressed after the old card has been deactivated and a new one is issued.
Consequences of Non-Compliance
Penalties for non-compliance take many different sizes, shapes, and forms. Most proven complaints result in monetary fines, but other, more severe incidents might involve additional consequences, too.
Fines and Monetary Penalties
PCI compliance violation fines start at $5,000 and range as high as $10,000. Regardless of the exact amount, these fines are typically due on a monthly basis until the issue of non-compliance has been fully resolved.
In addition to fines levied by the PCI, your organization is also responsible for covering any reversed credit card charges that stem from fraudulent purchases as a result of your non-compliance.
Larger organizations may face regulatory audits from the Federal Trade Commission (FTC) following non-compliance. However, these mandatory audits are generally reserved for severe and repeated violations.
Loss of Business or Reputation
It’s difficult to determine your organization’s potential loss of business due to non-compliance. Given the global connectedness of today’s consumers, however, most organizations will suffer some damage to their reputation in the wake of a PCI compliance violation.
Some consumers might opt for a lawsuit against your organization. In more serious incidents, a lawsuit might be pursued by one of the five major credit card companies or, in the worst case, the U.S. government.
Overcoming Violations and Maintaining Compliance
Although the standards established in the PCI DSS aren’t a part of U.S. law, failure to maintain compliance could have devastating consequences for your business. If you’ve had employees or consumers report PCI compliance violations in the past, or to find out more information about these regulations, contact RSI Security today.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.