Digital Transactions News reported yesterday that according to a copy of an Oct. 21st Visa Bulletin obtained by DT, Visa plans to introduce a new enforcement plan for Level 1 and Level 2 merchant and service provider compliance with PCI DSS regulations. The plan, expected to start on January 1st, includes noncompliance assessments – with noncompliance leading to the organization being highlighted on Visa’s Global Registry of Service Providers and hefty fines and penalties. Visa’s move makes the case for Bluefin’s PCI-validated Point-to-Point Encryption (P2PE) Solution even more compelling for organizations that want to reduce the scope of their cardholder environment and manage compliance more effectively.
Visa’s move isn’t surprising. The Card Associations and the Issuers are left holding the bag after data breaches. While the breached companies suffer staggering losses from lawsuits, lost customers, brand reputation and more, those issuing the cards are responsible for refunding the consumer’s fraudulent charges.
And in many of the recent breaches, holes were found in the companies’ POS system, internal and external networks, security polices, etc. Whether these “holes” were in or out of scope for PCI compliance are not known (which is part of internal investigations), Visa’s action demonstrates that they are serious about PCI compliance.
If organizations don’t comply – well, the public will know pretty quickly. According to the Digital Transactions story:
- “For those organizations between one and 60 days overdue, Visa will mark in yellow the organization’s listing in the Visa Global Registry of Service Providers. The entities also must notify their merchants and agents of the overdue status. After 61 days, the entry is marked in red. Organizations prefer their entries have no color background at all. As the number of overdue days increases, Visa takes other action, including removal from the registry of service providers, and may assess monthly penalties after 91 days.”
While the Visa bulletin did not detail penalty timing and amounts, it’s not difficult to see where that might go, since noncompliance with PCI DSS already carries huge fines – for months 1-3 of noncompliance for a Level 1 to Level 2 merchant, the fines could range from $5,000 to $10,000 per month. For months 4-6, the fines could rise to $25,000 to $50,000, with fines of $100,000 per month for noncompliance after 6 months.
But as Digital Transactions points out, many large merchants have disparate technology and systems in-house, or they outsource some (but not all) of their PCI compliance, which makes it extremely difficult for an organization to know where all of the “moving security parts” are at all times.
That’s where Bluefin’s PCI-validated P2PE solution comes in. PCI introduced their requirements for P2PE in 2012. PCI P2PE not only removes clear-text cardholder data from the merchant system (so a fraudster can’t grab it if the system is breached) – but ALSO to give large merchants and organizations a security solution that could significantly reduce their PCI scope and assessment, thereby making annual audits more cost-effective and manageable.
When a merchant implements PCI-validated P2PE throughout their card present environment (and card not present for keyed transactions), the only part of the card acceptance system in PCI scope are the devices. Why? Because with PCI P2PE, the device encrypts the card data and that card data never reaches the merchant’s network, so that network and those systems are not in scope because there is no clear-text cardholder in existence.
And further, PCI-validated P2PE takes a Level 1 merchants’ 288 question assessment down to 18 questions.
PCI Compliance will never go away. In fact, as breaches continue to happen, the pressure from the Associations, Issuers and even consumers will mount on retailers to shore up their security. So the choice will be to spend millions of dollars tightening and monitoring existing systems, while keeping all POS operations in PCI scope, or implementing endorsed solutions like PCI P2PE which reduces PCI scope, audit, and assessment, secures cardholder data, protects consumers, and preserves the corporate brand – all while saving organizations time and money.