PCI DSS and Regulatory Compliance Blog

Non-Compliance Fees Growing

February 6th, 2007 Posted in Card Brands, Compliance, Merchant, Service Provider

shields.jpgMany of you have read about the non-compliance fees that will be levied starting March 31, 2007 and September 30, 2007. What you may not have known is that the non-compliance fees for storage of sensitive authorization data actually grow.

Starting March 30, 2007 any company storing either Track data, PIN block data, or CVV2/CVC2/CID post-authorization may be fined $10k/month. That is until June 1st when the fines increase to $50k/month, and again in September 1st when they increase to $100k/month.

Remember that the original press release states:

For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.

The fines will increase twice in three month increments. This may sound frightening to some merchants, but the reasoning is certainly fair. There has been an ongoing string of compromises such as TJX (2006-7), Citibank (2006), CardSystems (2005), BJs Wholesale Club (2004), and the list goes on.

Fines have been levied in the past, but the message does not appear to be sticking.

As part of the new initiative, Visa is creating sanctions for merchants that don’t comply with the rules. In 2006, the credit card giant levied $4.6 million in fines, up from a 2005 total of $3.4 million, it said. The fines hit the banks, which may pass them on to noncompliant merchants, Perez said.

Now, almost 2.5 years after the original deadline for compliance (Sept. 30, 2004) and many years after the CISP/PCI program started, merchants are being held to the fire. The message? “Secure your customers’ data!”

This is just the beginning. Soon the government could introduce legislation to force everyone to properly protect cardholder data. Not only that these proposed bills would impact all personally identifiable information (PII) and may not be restricted to just credit card data.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 3 Responses to “Non-Compliance Fees Growing”

  2. By Dental Associates of Cedar Creek on Dec 5, 2007

    Our office did not receive ANY information regarding a compliance charge until it was place on our OCT statement by M&I Merchant Services. Had I known what this was about we would have taken any steps or action necessary. Nothing is stored as we have a very old machine. However is it legal for our merchant services to charge us for something we had no knowlege of? Thank you. Bus Mgr

  1. 2 Trackback(s)

  2. Feb 6, 2007: Ambersail Infosec Roundup » Blog Archive » PCI Non-Compliance Fines Raised
  3. Mar 3, 2007: 5 Myths of PCI Compliance at PCI Compliance Demystified

Post a Comment