Is PCI Compliance a Toothless Tiger?
The massive data breach announced in January by Heartland Payment Systems continues to raise significant questions regarding the state of security in the payment industry. As many as 100 million credit card and debit cards have been compromised, impacting unknown millions of consumers, 175,000 merchants and 600 institutions. One of the most pressing questions of the day is the relevance of the Payment Card Industry Data Security Standard (PCI), which is an industry-driven standard meant to ensure the safe handling of sensitive information.
Leading up to the breach, Heartland listed on its own Website that it was certified as being PCI-compliant last April. “Obviously, Heartland was not in compliance at the time of the breach,” explained Steven Bearak, CEO of Identity Force (www.identityforce.com). “This lapse in compliance is not just troubling; it causes many to wonder if the PCI standard is in fact a toothless tiger.”
Heartland is still in operation. Visa, while taking Heartland off of its “compliant” list, continues to accept transactions processed by the company. And a top analyst at Gartner Research just this week is urging companies that do business with Heartland Payment Systems Inc. and RBS WorldPay Inc. (another breached processor) not to switch to other payment processors.
Heartland has even gone so far as to threaten to sue companies that try to take its business away by raising questions about the effectiveness of its security systems.
What is clear is that millions of people and merchants have been put at risk, and little is being done voluntarily to mitigate the damage. What good is PCI compliance if there are no penalties involved for the major institutions that claim compliance and are not?
Security is only as strong as the weakest link. PCI compliance certification is not a guarantee against breaches. Organizations should prepare accordingly.
PCI COMPLIANCE & FINES
PCI compliance requires that any business that processes transactions, stores credit card or card holder data MUSTbe compliant with the
PCI DSS (Payment Card Industry Data Security Standards). If you handle or accept credit cardpayments then this means you too. Non-compliance is not an option and the fines and consequences are hefty.
Credit card data, personal information and o
ther private data attacks are a big part of “white-collar crime”. Anonymity from the crime via internet provides a larger problem and possess bigger treats as the attacks can be launched from anywhere in the world, even from within your own organization. Business size and type has little to do these days with potential data breeches and attacks as some believe that “any data will do” no matter what size the organization or business.Plain and simple, PCI is not optional and should be considered a key business policy to practice compliance. The PCI Security requirements have been put in place to secure the data and everyone must become compliant. Non-compliancy brings about fines and penalties from the payment card industry and providers. Fines can include the following:
- Fines of $500,000 per data security incident
- Fines of $50,000 per day for non-compliance with published standards
- Liability for all fraud losses incurred from compromised account numbers
- Liability for the cost of re-issuing cards associated with the compromise
- Suspension of merchant accounts