The 11/25/06 edition of The Green Sheet has a very interesting article entitled Card Associations Get Aggressive on PCI Enforcement. According to the article, Visa has publicly indicated its intent to begin levying fines for noncooperative level 1 merchants. Visa’s projection is that 65% of level 1 merchants will be compliant by year-end, according to Hector Rodriguez, director of Payment System Risk & Compliance for Visa. “Penalties may be levied to an acquirer if its merchants fail to comply with the PCI Data Security Standard, particularly in the event of a compromise or in cases where a merchant retains full track data,” according to Martin Elliott, vice president for Emerging Risk at Visa.
The article cites an interesting case involving a data breach at Chipotle Mexican Grill. “Prior to August 2004, the possible theft of patrons’ card data led to up to 2,000 incidents of fraudulent charges totaling $1.4 million, for which the restaurant became liable. … After the possible thefts came to light, [Chipotle] set aside $4 million to cover reimbursement of fraudulent charges, the cost of replacing cards, monitoring expenses, and fines imposed by Visa and MasterCard. … In its 2005 annual report, the company disclosed fines from Visa and MasterCard totaling a combined $1.3 million, which had been levied against the restaurant’s acquiring bank. Adding in legal fees, the chain’s total expenses related to its liability stand at $5.5 million….”
The article goes on to address the common misconception that fines are only levied by Visa and MasterCard when data breaches have occurred. “While Chipotle’s fines stemmed from an actual compromise, acquirers face potential fines of $10,000 to $100,000 monthly for their merchants’ failure to become compliant, according to Visa.” Unfortunately, there are still some merchants and service providers that pretend that they are unlikely targets and that their risk is minimal – in effect, sticking their heads in the sand and ignoring compliance requirements.
According to Mr. Herman of Visa, Visa considers storage of full-track magnetic stripe data to be “an egregious violation, which is susceptible to fines ranging up to $100,000 per month until compliance is achieved.” The article also asserts that the Federal Trade Commission can “levy penalties that can go well beyond fines from the Card Associations.”
As has been noted in prior posts to this blog, there is a significant benefit for organizations that achieve and maintain compliance with PCI: safe harbor. According to the article, “Acquirers for all levels of merchants who are in full compliance with PCI at the time of a security breach would not be subject to Visa fines,” citing Mr. Elliott of Visa.
Given the investment that Visa and MasterCard have made in instituting the PCI standards, and given the scrutiny that Congress has imposed regarding data breaches and security, it would seem likely that articles like this will become commonplace in the near future.