PCI DSS compliance questions: Deadlines, fines, tiers, costs

Get answers to the toughest Payment Card Industry Data Security Standards (PCI DSS) questions, such as: How do I get compliant? What are the penalties and fines if I don't? What does compliance buy me and when is the deadline? PCI DSS tiers and which one applies to you is also discussed.

The Payment Card Industry Data Security Standard (PCI DSS) was introduced to help prevent card fraud and to maintain public confidence in payment cards. It brings together security measures designed by Visa, MasterCard, and others such as American Express, JCB and Discovery.

PCI DSS applies to every acquiring bank, merchant and third party that accepts or processes payment cards. Merchants and service providers are responsible for demonstrating to their acquiring banks that they are PCI DSS compliant.

The aim of the PCI DSS requirement is to protect any information that could be used to make a counterfeit card or a fraudulent online transaction falling into the wrong hands. This includes the card number, the expiry date, PIN, CVV numbers, plus details used in online transactions such as password, email address and name.

Here you will get answers to the toughest PCI DSS compliance questions:

When do I need to meet the PCI DSS compliance deadline?

Now. In fact, the original PCI DSS compliance deadline was set at June 2006. Visa stuck to that deadline (they were then the owners of the standard), while MasterCard extended their PCI DSS compliance deadline to June 2007, as did a number of other smaller brands. If you are not yet compliant, then you need at least to be able to demonstrate that you have a programme in place to become compliant. Contact your acquiring bank and find out what they expect of you. In most cases, they are happy to have an implementation plan in place, but you should be well on your way to becoming PCI DSS compliant.

What happens if I don't become compliant by the deadline? What are the PCI DSS costs or fines?

Not a lot in the short term, unless you have a security breach and some of your customers' credit card details fall into the wrong hands. Then you are in trouble. Lisa White, PCI DSS expert at Deloitte's estimates the costs as follows: Take a quite modest compromise of 10,000 cards at a merchant, you could expect to have compromise fees of 5 euros per card; investigation costs of about 30,000 euros; an average fraud of 1,000 euros per card, card replacement costs of 20 euros per card; and 30 euros per card in chargeback fees. That comes to around 11 million euros – and 10,000 is a small example.

Who in Europe has been punished for being non-complaint? 

Last year Barclaycard received fines from their payment companies for breaches that took place at their merchants. Those PCI DSS fines were not passed on to the offending merchants, but they were warned that if things didn't improve by June 2007, fines would be applied. Some merchants have also been raised to Tier 1 on the back of breach, which means they have to go through the added expense of an external audit.

OK, so what does PCI DSS compliance buy me?

It's like an insurance policy and buys you what is known as 'safe harbour' from the costs and fines outlined above. Compliance shows you have taken all reasonable steps to protect the card holder data in your charge. Going through the PCI compliance process also helps you to improve your processes and work more securely.

How easy is it to comply? What are PCI DSS merchant Tiers?

It depends on how many credit card transactions you handle – and obviously how well organised you are already. Merchants fall into four tiers -- ranging from Tier-1 merchants who handle more than 6 million transactions a year, to Tier 4, who process fewer than 20,000 e-commerce transactions per year.

Only Tier-1 merchants need to be audited by an independent Qualified Security Assessor. The others are able to self-certify. Companies that have a breach or fail to show the right attitude can be placed in Tier 1 regardless of their transaction volumes. This is at the discretion of their acquiring bank – which is why it pays to communicate at all stages with the acquiring bank.

For most of the information you'll need, go to the Visa website (www.visaeurope.com). This contains a mass of advice and helpful hints, and describes in succinct terms what the standard requires.

However, the process can be littered with pitfalls. Deloitte's Lisa White offers this advice:


  • Do not underestimate the extent of the work. Getting a handle on access control sounds easy, but discovering who should have access to what data can explode into a huge amount of work. Tracing where cardholder data resides (in either paper or electronic form) can also be a lengthy process.
  • Keep up to date. The terms of the requirements have changed over time, and can vary between the U.S. and Europe.
  • Remember that the requirements are open to interpretation. The acquiring banks feel it is more important to comply with the spirit of the regulations in a pragmatic way, rather than try to follow the standard word for word. The opinion of your acquirer is very important.
  • Remember that your systems will exchange data with other systems. You need to include all systems connected to the payment system in your compliance programme.
  • Consider what impact it will have on the business to implement and run the policies on a day-to-day basis.
  • This is all too hard. What else can I do? What about outsourcing payment processing?

    You can outsource payment processing to a specialist company. All credit card details reside with them, so you have no data to manage or to be responsible for. They carry complete responsible for security and compliance. Definitely worth considering, and the downside risk of a breach is just too high.


Read more on Regulatory compliance and standard requirements