The “multiples” of not complying
March 2nd, 2007 Posted in Card Brands, Credit Card Fraud, Merchant, PCI DSS, PCI PIN, Service Provider
I had an IM chat this morning with Martin McKeay asking why everyone feels there are no teeth to PCI compliance. I worked with him on such a project and wanted his feedback. It seems everyone feels there is no monetary reason for large companies to comply. And those who take that stance would be correct - there is no direct cost, but there are indirect costs.
Let’s consider this for a moment. Not to pick on any one, the card brands can fine a merchant for non-compliance with PCI. (Remember that PCI includes the PCI DSS and the PCI PIN requirements.) This means that each card brand can fine a merchant. (MasterCard does not provide fee numbers, so let’s assume they are the same as Visa’s.)
- Up to $500,000 per incident (PCI DSS)
- Up to $500,000 per incident (PCI PIN)
Ok, so let’s say that you accept 3 credit card types and you have the worst compromise possible (storage of both Track and PIN block data.) This means your direct fines would only account for $1m x 3 brands = $3m. And don’t forget the proactive fines for non-compliant merchants.
This is a large issue for small merchants and a small issue for large merchants.
Why should large merchants care? I’ve outlined a number of reasons here. It’s all about the multiples. If a small merchant looses 1,000 credit card numbers the re-issuance costs, fraudulent transactions, and remediation costs will all be (relatively) small. They comply because of the fines.
Large merchants may not see the fines as a big issue but they should care about all the things the smaller merchants don’t worry about. If you take class action lawsuits, re-issuance fees, fraud cost recovery fees, credit report monitoring, remediation costs, and possible FTC monitoring and then multiply it by 20 or 40 million cards you end up with a very, very large number.
I am frustrated when people say there is not a big enough stick, because all they read about are the fines. Even after a compromise, TJX only reported having spent $5m on forensics and fines. Nobody ever sees the longer term costs of compliance because what reasonable merchant would ever publicize these numbers?
You cannot fear what you do not know. Educate yourself about the cost of credit card compromise.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
6 Responses to “The “multiples” of not complying”
By Mark Mac Auley on Mar 2, 2007
My take on this is that the teeth haven’t bitten hard enough or have been publicized enough so that people take notice.
I also want to know when the whistleblower sites are set up. I had an interesting thing happen on the way to a State website that was so non-compliant I had to laugh. Literally. There was a nice logo with a padlock on it to make me feel safer though, so that was cool. I covered it in my blog at http://identitystuff.blogspot.com.
By Chris on Mar 2, 2007
If you are right that it is the indirect costs that are at play, then for large entities PCI is unneeded. The fines are lost in the noise, and the lawsuits and reissue costs are stlll there.
If you are right, is the seemingly lousy state of retail infosec to be explained by a regulatory/judicial/comercial environment that has changed faster than firms can react, or are the firms that expose millions of CC#s just, well, stupid?
I suppose it could be a combination. Until someone is quite publicly driven out of business due their failure to secure systems, some firms may continue to behave as if they don’t care. Depending on how likely one thinks it is that such a “death penalty” will occur, firms current behavior may seem reckless or rational. I’ll let you know how I feel in 6-12 months. I used to think “reckless”, but I am unsure now.
By Michael Santarcangelo on Mar 2, 2007
First - I love your blog. I think you have and share sharp insights, and I look forward to linking to and working with you more in the future.
That said, I really enjoyed this post, and have a question. As a student of economics, I also figure that as the industry adjusts to PCI, the rates charged will be adjusted relative to the risk. I liken it to buying life insurance - have a breach, you prove you are in bad “health” and as a result… you pay a higher rate. And that stings.
Until the card companies have the ability to impose those sliding fines….
Oh - and there is an upside to this, too. Those that demonstrate and prove they follow “good practices” - they get to pay lower rates for processing.
Does that hold water? I’ve started noodling some of this on a larger perspective and would be happy to share more if you think it makes sense.
Thanks!
Michael
PS: Please come join us in the catalyst community - you will absolutely add to the conversation!
By datasecurity on Mar 3, 2007
Chris,
PCI is definitely required for all merchants. A class action lawsuit cannot work unless there is something the merchant did wrong. The lawyers need to say, “They should have been PCI compliant and they didn’t follow the rules.”
PCI compliance is necessary for every merchant. The beauty in the flexibility of the validation. Different merchants and service providers fall into different levels that they must validate compliance. (This is also where some of the complexity resides.)
Thank you!
By datasecurity on Mar 3, 2007
Michael,
Thank you for your comments and for joining this conversation. I look forward to sharing and learning from each other. Also, I’d be happy to join the catalyst community… just tell me how.
To address your question, YES there is a sliding scale, but it’s not as clear as you might imagine. The scale is dictated partially by the industry and partially organically.
For example, you know that the card brands can impose fines/fees for non-compliance and that there is a high likelihood of them offering lower interchange rates to those merchants who can validate PCI compliance. These two things are HUGE. I heard one (very) large merchant say that they could loose $1m per month on paying higher interchange rates.
The organic penalties come in terms of lawsuits and FTC regulation. You never really know how bad these will be. I like your example of life insurance because I usually use the example of auto insurance.
Thanks!