Does anybody know where to find information about fines (or other ramifications) in Europe in case of non-compliance to PCI? So far I could not get any information from VISA/Mastercard.
It is quite difficult to convince organisations to spend money on implementing the standard when there seems to be no "real" penalty for not doing so.

regards,
Dominik

We've had the same problem with our acquirer being less than straight forward on fines.

We have heard (through webinars, online forums, other blog sites) that fines from Visa are only for making no serious attempts towards becoming compliant but we have not been able to confirm that.

We have heard (through webinars, online forums, other blog sites) that fines from MasterCard are more stringent and figures ranging from €5000 per week / month to €25000 per week / month have been mentioned but again, we have been unable to confirm.

A direct question to our acquirer along the lines of "Please detail what fines will be levied by the card associations for what reasons" has been met with extremely vague answers.

One point to note is that the fines will be raised by the card associations against the ACQUIRER and not the merchant directly, it is then up to the acquirer to pass on costs to the merchant. Obviously, it is worth checking your merchant / acquirer commercial contract to see what scope the acquirer has within this process.

Regardless of whether we're talking about Europe or anywhere else in the world, no one truly knows how any of the card companies are going dole out their fines as the card companies have not issued a statement on how this will occur. Everything I have heard to date is a rumor from various 'informed' sources.

In addition to what has already been stated, I have also heard that the card companies will adjust their transaction fees for those companies that are not compliant. The rumor is that PCI compliant merchants will receive a percentage discount on their transaction fees or those fees will remain the same while non-compliant merchants will receive a percentage increase in their transaction fees as an 'insurance charge' for the additional risk that the card companies incur because the merchant is non-compliant.

In the end, it's all still a rumor until there is a definitive statement from the card companies. And I really don't think we'll know anything definitive until after the October 1 deadline.

I have also heard that the card companies will adjust their transaction fees for those companies that are not compliant. The rumor is that PCI compliant merchants will receive a percentage discount on their transaction fees or those fees will remain the same while non-compliant merchants will receive a percentage increase in their transaction fees as an 'insurance charge' for the additional risk that the card companies incur because the merchant is non-compliant.

It's not a rumor about this interchange fee "carrot". Per Visa's December 2006 news release "Effective October 1, 2007, acquirers whose transactions qualify for lower interchange rates ...must ensure that the merchants generating the transactions are PCI compliant in order to receive the benefit."

As for fines, I would guess all the card brands are keeping it pretty vague. My understanding, though, is that while compromising the PAN is viewed as serious, you really get into extremely hot water if track data are compromised.

Regarding fines, this is very difficult information to obtain although Visa is typically more open about the info then MasterCard.

With regard to interchange impacts this is a Visa USA program only and is referenced in the CAP program. CAP is Visa' Compliance Accelleration Program. It states that Level 1 merchants that have not validated by Sept 30,2007 will lose their tiered interchange benefits. It will not provide benefits proactively it is more a penalty.