Hi all,

I've often been told of the potential of the card brands to remove the card-processing capabilities of a merchant who simply refuses to consider PCI DSS compliance. Has this ever actually taken place? I seem to remember it happened to a payment processing organisation - has it happened to any "high street" style level one or level two merchants?

fp

You are probably thinking of CardSystems. However, they were eventually reinstated by the card brands and then sold to another processor.

I am not personally aware of any merchant that had their merchant agreement revoked due to PCI non-compliance. However, I do know of merchants that have had their merchant agreements revoked for other reasons such as skimming, double charging and other forms of card fraud.

Fair enough - perhaps it's just that the card brands have always managed to get merchants to buy into PCI before getting to the point where they would cut them off. I'm sure there must be some merchants out there who have gone into meetings with acquirers / card brands to try and argue that they were too big and important for anyone to cut off their card processing capabilities.

To the best of my knowledge, there isn't a single merchant in this Province (BC) that has validated their PCI compliance and this includes the Level 1 merchants with annual sales over $1B.

There is a lot of activity (like a frog jumping about in a pail of milk) but little or no progress.

Several of the larger ones have indicated their acquirers are not even remotely interested in discussing "PCI compliance".

To the best of my knowledge, there isn't a single merchant in this Province (BC) that has validated their PCI compliance and this includes the Level 1 merchants with annual sales over $1B.

There is a lot of activity (like a frog jumping about in a pail of milk) but little or no progress.

Several of the larger ones have indicated their acquirers are not even remotely interested in discussing "PCI compliance".

I'd be very curious to know if this is true elsewhere - if it can happen in one location, presumably it can happen anywhere. Possibly only in locations where all merchants act in a unified manner to decline the requirements?

Surely the card brands will chase them down eventually; they'll have to if they want to maintain momentum for compliance in the industry as a whole.

Other than a handful of larger Level 1 merchants across the globe, I really question the reported merchant validation rates.

The only merchants that get heat from the card brands are the ones that have experienced a breach (and bothered to report it).

IMHO the program is an abysmal failure.

The only winners are the card brands who profit from the PCI Security Council's program to qualify QSAC's, QSA's and ASV's through their annual fee structure. Best guess is an annual profit of $5M to $6M.

The losers are the merchants, the issuing financial institutions and the cardholders.

A big pile of PR security puffery.

To the best of my knowledge, there isn't a single merchant in this Province (BC) that has validated their PCI compliance and this includes the Level 1 merchants with annual sales over $1B.

There is a lot of activity (like a frog jumping about in a pail of milk) but little or no progress.

Several of the larger ones have indicated their acquirers are not even remotely interested in discussing "PCI compliance".

I have personally done reports on compliance for many Canadian companies (L1-3).

As far as what happens if you are not compliant - most companies who are not compliant are being fined and/or paying the higher transaction fees. As far as more extreme measures - I had a client that refused to become compliant and the card brand they were directly connected to gave them a drop dead date to become compliant or gtfo the network.

Other than a handful of larger Level 1 merchants across the globe, I really question the reported merchant validation rates.

The only merchants that get heat from the card brands are the ones that have experienced a breach (and bothered to report it).

IMHO the program is an abysmal failure.


Funniest thing - found a discouraging article (http://searchsecurity.techtarget.co.uk/news/article/0,289142,sid180_gci1380357,00.html) on this issue. The suggestions from the crowd of PCI users? Merchants don't get the impression the card brands are taking enforcement seriously.

An interesting quote:
"She added that in the first half of 2009, £200,000 a month was being collected in fines for non-compliance, although the card schemes have since adopted a more conciliatory approach."

So, if there are ten noncompliant merchants that were being fined (clearly there must have been more than that), that's £20,000 a month. Gartner estimates that tier one companies on average have to spend 1.7 million pounds (2.7 million dollars) to achieve compliance. A little math, and it takes seven years of fines to hit the cost of compliance.

(Note there were zero fines for noncompliance in the second half of 2009.)

It's hard to blame merchants given some of the confusing soundbites being touted around....
Bob Russo (PCI General Manager) was quoted as saying that compliance is a temporal principle and that a merchants PCI compliance liability could change depending on the state of a given organisation at the point in time when an actual breach occurs.

This has been interpreted as "you will always be liable" and "you will always be investigated if theres a breach" so many large companies are purposefully dragging their heals as they cant see any benefit in being "compliant".

One risk analyst at a large Uk retailer even suggested to me that their strategy is to engage in a process of constant partial compliance.
They are purposefully dragging their heals for as long as they can whilst distracting their merchant acquirer with multiple queries regarding compensating controlls (LOL) as their efforts wont affect their liability.

I usually suggest there is a difference in the burden of proof should there be litigation as a result of an incident.

Compliance to an industry standard, vs a self assertion, always makes the plaintiff work harder to prove their case, and may deter some cases.

Penalties are minor costs when compared to potential litigation outcomes in my view. TJX's costs exceed $250m USD according to the press.

A retailer I've worked with compares PCI compliance to food safety/contamination. Why would you shop somewhere that there is a known risk or adverse consequences?

lyalc

It's now 2010 and very little has changed since my last post in 2007 on this subject.

Now that's what I call "real progress"!!!!