What You Should Know About PCI Violations
PCI-DSS is a detailed and complex security standard that any entity involved in credit card payments must adhere to. Broadly speaking, its purpose is to ensure that the personally identifiable information (PII) of customers is properly handled, transmitted, and stored, so that bad actors cannot access it for unapproved purposes.
Businesses that are subject to PCI-DSS are vulnerable to significant fines if they are identified as being in violation of the standard. Worse, newer businesses may not even know what to do if they receive a PCI violation. The reality is that the best way to deal with PCI violations is to avoid becoming responsible for being PCI-compliant in the first place, as outlined below.
What counts as a violation of PCI that can draw fines?
The most frequently-cited violation is a data breach or hacking incident, such as those that hit Warner Music Group, Equifax, and Target. When a hacker, or as is often the case a group of hackers, manages to make their way through your security and gain access to PII, you have a major problem. Under these circumstances, even access to encrypted data can be a problem, as hackers can either steal decryption keys or use brute force exploits to recreate them: the fact that stored data is encrypted means it is vulnerable to decryption.
That said, there are plenty of less dramatic ways for a PCI violation to occur, including:
- Keeping credit card information written down and stored in an unsecured location
- Being shown to have insufficient security on customer or employee usernames and passwords, which could allow access to stored credit card information
- Unapproved resources having access to PII in a form that they can remove from the location (for instance by downloading to a thumb drive)
The fundamental truth is that PCI fines can be drawn any time any unauthorized individual gains access to consumer PII.
How are violations reported or uncovered?
Generally speaking the PCI violations that make the news are the big ones, where hackers break into large corporations. Those corporations normally report the occurrence publicly (as they are required to do), and, while they will likely pay significant PCI fines, have a fairly clear roadmap to clearing up the violation and compensating affected consumers.
Consumers, however, may suspect their information has been leaked by a company they do business with, and they can report it, generally to their card network or bank. If the financial institutions decide there is reason to believe the report, they can require an audit of the suspected compliance violator - and, indeed, can actually levy fines rapidly if they are dissatisfied with the suspected violator’s security environment.
Who levies fines?
As it turns out, most merchants do not technically pay PCI fines: fines are generally doled out by the card networks and are aimed at the payment gateways through which transactions are routed. Those gateways then pass on the fines to their own customers - both as one-time fees (what are generally thought of as PCI fines), and as continuing fee increases and penalties. For instance, those who find themselves pushed into the high risk merchant category by a PCI violation may find that they are required to maintain a deposit reserve with their gateway to cover any future problems.
How much can PCI fines cost a company?
A significant PCI violation can be extremely costly, particularly if the entity with the PCI violation is unable to satisfy the downstream providers that they have achieved full compliance rapidly. The card networks may impose a relatively innocuous initial fine of $5,000, but this can be re-imposed regularly (generally on a monthly basis) and grow rapidly over time, to well over 6 figures. Meanwhile, being forced to keep a reserve can be crippling to an e-commerce company, as it removes significant capital from businesses that rarely see higher than 5% - 10% net margins.
What is the best way to avoid PCI fines?
The easiest and safest way to avoid PCI fines is to avoid being under PCI-DSS compliance requirements in the first place. To achieve this, merchants should implement payment systems that avoid bringing covered PII into their environment at all.
Historically, the first step in achieving this goal has been to engage with a full-service Payment Services Provider (PSP), which will collect all data and process payments on your behalf. While this achieves the goal of avoiding PCI violations, it has the downside of being more expensive (full-service PSP fees are significantly higher than core card network interchange fees), as well as locking you into a particular provider.
The right strategy is to implement a multi-provider payment process founded on the services of a third party Tokenization Services Provider (TSP) like Basis Theory. In this scenario, all credit card data is collected and submitted to the TSP, with a token provided to the merchant to store; with that token, the merchant can now direct the TSP to submit transaction details to whichever payment provider makes the most sense. The benefit is that the merchant still has no PII in their environment, but they have the option to use whichever payment gateway they prefer. Additionally, the tokens that they do store are random strings, and thus, even if a hacker managed to gain access to them, they could never be decrypted or reconstituted to the original PII.