Your selected question
I do not understand the scheme fine structure for PCI DSS, can this be explained?
The Schemes fine structure falls in two categories: non-compliance fines and data compromise fines.
The PCI DSS compliance deadline has passed (June 2005) for all merchants except for:
- Level 3 and ecommerce Level 4 merchants: VISA deadline was 1st October 2009, by which time merchants must use a PCI DSS certified service provider or provide certification of their own PCI DSS compliance to their acquirer.
- Remaining Level 4 Merchants: the compliance deadline will be set by the Schemes and communicated. However, compliance with PCI DSS is mandated for all merchants regardless of whether there is a deadline or not.
It is important to note however, that on top of non-compliance fines that may be levied at any time by the Card Schemes when the non-compliance deadline has passed, compromise fines will be levied in all cases where merchants are found to be non-compliant and the subject of a security breach.
It is Barclaycard's policy to pass on any fines levied by the Schemes to the merchants.
If, however, a merchant is the subject of a data compromise and an investigation carried out by a Qualified Security Assessor (QSA) finds the merchant to be compliant they will benefit from what is called "safe harbour" and the card schemes will not fine. It is important to reiterate that in order for a merchant to be compliant, all of its third parties that would store, process or transmit cardholder data must also be compliant.
| Cost Type | MasterCard | Visa |
| PCI DSS Non Compliance |
Limited at Acquirer level to $500k in aggregate in a 12 month period |
Visa have a tiered fine structure based on notification to the member:
|
| Compromise Fines | Issuer reimbursements
Severity of fine will depend upon Acquirer / Merchant progress, co-operation, number of accounts at risk, what sensitive data has been stored i.e. CSC, Track 2 Failure by Acquirer to comply with ‘Acquirer Responsibilities’ defined in the Rules can incur a further $25k per day until compliant. The assessments for Wrongful Disclosure and Failure to Secure Data are up to USD 100,000 per violation. The assessments for Retention of Prohibited Data (mag stripe, CVC 2) are up to USD 100,000 per violation. |
|
| Fraudulent Spend | For both Schemes, Acquirers can be liable for all fraudulent spend following a data compromise; this is dependent upon the Issuers making a compliance case to the scheme. | |
| Compromised Entity | Initial Penalty (€) | Insufficient remediation after 90 days (note 1) | Monthly PCI DSS Violation (after 4 months) | Monthly PCI DSS Violation (after 5 months) | Monthly PCI DSS Violation (subsequent months) |
| Level 1 |
€50,000 |
€30,000 |
€50,000 | €75,000 | €75,000 |
| Level 2 |
€25,000 |
€15,000 |
€25,000 | €50,000 | €50,000 |
| Level 3 |
€10,000 |
€5,000 |
€10,000 | €15,000 | €15,000 |
| Level 4 |
€10,000 |
€5,000 |
€10,000 | €15,000 | €15,000 |
| VisaNet processors/ Member Processors |
€50,000 |
€30,000 |
€50,000 | €75,000 | €75,000 |
| Merchant Processor |
€25,000 |
€15,000 |
€25,000 | €30,000 | €30,000 |
| Other |
€10,000 |
€5,000 |
€10,000 | €25,000 | €25,000 |
Note 1: sufficient remediation would be satisfied through demonstration that the following PCI DSS requirements have been implemented:
1) Remove sensitive authentication data and limit data retention
2) Protect the perimeter, internal and wireless networks
3) Secure applications
4) Protect through monitoring and access controls
5) Removal of CVV2 data must be achieved within 30 days. The non-remediation penalty will apply after 30 calendar days if removal of CVV2 (or other authentication data) and cessation of storage have not been effected by card-absent merchants and merchant service providers. Subsequent fees will be applied after each 30 calendar day period until removal and cessation of storage has been confirmed in writing to the Visa Europe Compliance Department.
For more information please email PCI.TaskForce@barclaycard.co.uk
How useful did you find the answer given?
Not at all Very useful