[Disclaimer: The following is based on information received from a single acquirer, and I have been unable to corroborate any of this from other sources.]
Have you seen Visa Europe’s new fine structure for cardholder data breaches? Can you afford THAT kind of loss? More importantly; Are you really PCI compliant, or did you just fake your way through a Self Assessment Questionnaire (SAQ)?
In case you weren’t aware, the fines for a breach are levied against the results of the mandatory forensics investigation, not just your self-assessment status. Anyone caught lying on a self-assessment attracts the maximum fines, and rightfully so.
OK, full disclosure on the title, I did go straight into a worst case scenario, but would you read about PCI otherwise? If you’re like 99% of the people I’ve ever had as PCI clients, you care nothing about PCI compliance per se. Other than wanting it to just go away of course. Historically, even threats of fines have done little to motivate organisation to take PCI seriously.
Until now perhaps.
But first, believe it or not, some good news!; “Assessments levied for non-progressions and portfolio targets have been withdrawn.” – in other words, there will no longer be Visa Europe-defined fines for non-compliance. This is not to say your ACQUIRER can’t fine you, but Visa has only ramped-up the fines in the back-end.
In this case, the ‘back-end’ means you’ve been breached, and there is now a whole host of things you have have to take into account to work out your potential losses:
- The loss of 1 PAN & CVV attracts a fine of €18.
- There is a €3,000 ‘Account Data Compromise (ADC) Management Fee’ imposed on all breaches.
- For penalties over €100,000, the fines can be capped at “5% of the merchant’s Visa gross annual purchase volume in 12 months prior to the initial notification.” I assume this is entirely discretionary and weighed against the egregiousness of the non-compliance.
- Did the acquirer correctly report the merchant’s compliance status? – Even is the status is non-compliant, there is a 25% reduction in fines for correct reporting.
- Are the ‘majority’ of the merchant’s transactions authentication with Verified-by-Visa (VbV) – 50% reduction in fines if yes.
- Non-compliant Level 4 Merchant puts 1,000 PAN and CVV2 numbers at risk – Acquirer correctly reported compliance status, and VbV is in place;
PAN & CVV 1000 x €18: € 18,000.00 Compliance Reductions @ 25%: -€ 4,500.00 Sub Total: € 13,500.00 VbV Reduction: -€ 6,750.00 Sub Total: € 6,750.00 ADC Management: € 3,000.00 Cap Applied: N/A Grand Total: € 9,750.00
- ‘Compliant’ Level 3 Merchant puts 5,000 PAN and CVV2 numbers at risk – Acquirer incorrectly reported compliance status, and VbV is not in place;
PAN & CVV 5,000 x €18: € 90,000.00 Compliance Reductions @ 25%: € 0.00 Sub Total: € 90,000.00 VbV Reduction: € 0.00 Sub Total: € 90,000.00 ADC Management: € 3,000.00 Cap Applied: € 25,000.00 Grand Total: € 28,000.00
- Non-compliant Level 2 Merchant puts 75,000 PAN and CVV2 numbers at risk – Acquirer correctly reported compliance status, and VbV is in place. No penalty cap applied;
PAN & CVV 75,000 x €18: € 1,350,000.00 Compliance Reductions @ 25%: -€ 337,500.00 Sub Total: € 1,012,500.00 VbV Reduction: -€ 506,250.00 Sub Total: € 506,250.00 ADC Management: € 3,000.00 Cap Applied: N/A Grand Total: € 509,250.00
Will Visa Europe’s new fine structure get merchants moving towards compliance? I seriously doubt it. Frankly nothing will get them moving unless the CEO / BoD see these fines as a legitimate business risk instead of a worst case scenario. And what are the chances of that when the cost of properly securing cardholder negatively impacts the quarterly numbers?
Fining for non-compliance was stupid anyway. It basically forced merchants to just lie on their SAQs and do nothing to actually reduce the risk. Huge fines for a breach is arguably a more appropriate way of punishing those who egregiously ignored the standard. But it’s still after the fact.
But what if the card schemes actually provided INCENTIVE for achieving [and appropriately demonstrating] compliance? Reduced interchange rates perhaps? Financial incentive to adopt their increasingly desperate ‘innovations’ maybe? Wouldn’t THAT be something.