CHAPTER 3: COMPLIANCE AND COMPLIANCE PROGRAMMES

Payment brands enforce the compliance process through contractual means, including higher processing fees, fines and financial penalties for non-compliance. These penalties can be applied monthly during the remediation process, and additional fines can be levied for breaches.

‘What are the consequences to my business if I do not comply with the PCI DSS?’

‘The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programmes and does not impose any consequences for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant.’1

This all means that each payment provider will take whatever action it thinks it can make stick, commercially, to enforce the PCI DSS. There are no standardised penalties across all the payment brands, and the PCI Council has no plans to create any. Individual payment brands have their own compliance initiatives, and will require separate evidence of compliance. Given that the original dates for compliance have now all passed, each brand is likely to set different dates for different levels and different entities to demonstrate compliance. The acquiring bank is usually the best channel through which to discuss compliance deadlines and penalties, which are all imposed by means of the payment brand/acquiring bank’s contract with the merchant.

While the PCI DSS is a common Standard, each payment brand has its own compliance programme. Note that there may be regional variations for VISA (e.g. USA and Europe), while MasterCard has a single global standard, and that acquiring banks – not the payment brands – are usually responsible for enforcement. All detailed compliance enquiries should therefore be directed to your acquiring bank. Detailed below are the websites for the PCI DSS compliance programmes for each of the five founding members of the PCI DSS Council, which will give some guidance on the compliance actions that might be expected in respect of each of the payment brands:

Amex DSOP –

https://www260.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=home–merch_van=datasecurity

Discover Card DISC –

www.discovernetwork.com/merchants/data-security/disc.html

JCB Card PCI DSS –

http://partner.jcbcard.com/security/pcidss/index.html

MasterCard SDP –

www.mastercard.com/us/company/en/whatwedo/site_data_protection.html

VISA US CISP –

http://usa.visa.com/merchants/risk_management/cisp_overview.html?it=l2|/merchants/risk_management/cisp_merchants.html|Overview

VISA EUROPE AIS –

www.visacemea.com/ac/ais/data_security.jsp

VISA CANADA AIS –

http://visa.ca/merchant/security/account-information-security/index.jsp

VISA ASIA AIS –

www.visa-asia.com/ap/au/merchants/riskmgmt/ais_sp.shtml.

1 Q & A from the PCI DSS website, www.pcisecuritystandards.org.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset