Your selected question
I do not understand the fine structure for PCI DSS, can this be explained?
The fine structure falls in two categories: non-compliance fines and data compromise fines.
The PCI DSS compliance deadline has passed for all merchants.
Fines may be applied because of lack of progression towards PCI DSS compliance or for storing Sensitive Authentication Data (SAD); the fines can be levied every month and the value escalates if associated deadlines are missed.
Account Data Compromise (ADC)
Fines will be levied in all cases where merchants are the subject of a security breach and upon investigation are found to be non-compliant. The average fines levied for a small merchant total around £15,000 which is payable on top of any forensic investigation and remediation costs.
It is important to note however, that on top of non-compliance fines that may be levied, compromise fines will be levied in all cases where merchants are found to be non-compliant and the subject of a security breach.
It is Barclaycard's policy to pass on any fines levied by the Schemes to merchants.
If, however, a merchant is the subject of a data compromise and an investigation carried out by a Qualified Security Assessor (QSA) finds the merchant to be compliant they will benefit from what is called "safe harbour" from fines. It is important to reiterate that in order for a merchant to be compliant, all of its third parties who store, process or transmit cardholder data on their behalf must also be compliant.
For more information please email PCI.TaskForce@barclaycard.co.uk
How useful did you find the answer given?Not at all Very useful