PCI / CISP Compliance
Background : Core Elements : Non-Compliance Risks : Warning Signs : Ongoing Changes : Next Steps : Further Reading : Self-Assessment
Why should I care? The risks of non-compliance:
a. In their new enforcement role, your credit card processing bank will be responsible for “passing along” fines associated with the costs of fraud, identity theft, and non-compliance to the merchants through any Non-Compliance or Compromise that has occurred, as per our understanding. There is a fee/fine structure in place for all of the major card brands which outlines the assessment of fines, based upon audits.
i. If a series of lost/stolen cards or identity thefts seem to correlate to a single establishment, as found in an investigation or a CAMS (Compromised Account Management System) database, this establishment will be targeted for audit and assessment.
ii. A lack of security can be detected from the yearly (or more frequent) SAQ’s (Self Assessment Questionnaire) that an establishment must now fill out. A separate SAQ may be required (at this time) for each and every payment method an establishment accepts.
If an organization is targeted, an official “audit” will then be conducted to determine what, if any, corrective actions and fines will be assessed. At this time, we understand the fine structure to begin at $50,000.00 (in the case of Visa) or the loss of the establishment’s ability to accept credit cards (for those that don’t remedy their non-compliant position or are unable to pay the levied fines).
b.
On
July 1, 2003, the State of
Credit card transactions, magazine subscriptions, telephone numbers, real estate records, automobile registrations, consumer surveys, warranty registrations, credit reports, and Internet Web sites are all sources of personal information and form the source material for identity thieves
Transposed from <SB-1386 on website, above>
Basically, they define a breach as that which involves an individual’s first name or first initial and last name, combined with: a social security number, a driver’s license or California ID Card, an account number, credit or debit card number (and the security code/access code/password) allowing access to a financial account. Notification is to be done directly; however, if costs were to exceed a sum of $250,000 or the number of persons affected exceeds 500,000, the notification of breach could be done by email, posted on the company’s website, or notified by major statewide media. Of course, they point to a properly enforced ‘information security policy’, which seems to be of increasing importance. We have listed a sample information security policy later in our document.
c. Additionally, there are individuals (from our understanding) seeking out merchants who have not yet become compliant with the hiding of full credit card numbers or the expiration date (as indicated above, for California). As we understand, upon finding such a site, these individuals may add the merchant in question to a class-action lawsuit, which names the business as negligent with the customer’s PAN (personal account number) and personal information.
d. The public humiliation and impact on a business of losing personal data might be enough to force a popular location out of business and reduce the public’s trust. This may be a larger risk than fines associated with a breach. Reduction in patronage would be damaging to any business.
Sotapop Consulting
PO Box 192061
(415) 647-0550 office
(650) 996-6241 cell
support@sotapop.org