Why you should treat PCI DSS as though it was the law

Mar 20, 2015

When we start an assignment helping a client to become compliant with PCI DSS, at some point early on we get asked the same two questions:

· what are the implications if we don’t get compliant?

· is it a legal requirement?

The recent news of online holiday insurance company StaySure being fined by the Information Commissioner helps answer both questions.

It’s quite common to hear of horrific costs arising from data breaches. The Ponemon Institute’s 2014 Cost of Data Breach Study calculated an average cost of £2.21m for UK data breaches. By far the biggest factor in this is the cost of losing existing customers and the reduction in gaining new customers. These are very real costs but when the question is asked in relation to PCI DSS the focus tends to be more on the cost of non-compliance in terms of penalties and fees.

Fines and penalties may be incurred for both non-compliance and actual breaches. It is not easy to obtain precise details of penalties charged by the card brands and acquirers but in US documentation, MasterCard cites fees of up to $25,000 for a first non-compliance, and breach penalties on the acquirer of up to $100,000, which the acquirer will pass on to the merchant. In the UK, Barclaycard cites “average fines levied for a small merchant total around £15,000 which is payable on top of any forensic investigation and remediation costs” and is in addition to “compromise fines … levied in all cases where merchants are found to be non-compliant and the subject of a security breach”. There may also be increased transaction charges and even loss of the card payment facility.

The headline news for StaySure, however, was not fines imposed by the card companies but a fine of £175,000 imposed by the Information Commissioner, reduced to £140,000 if StaySure pay before the end of this month.

The involvement of the Information Commissioner helps us to answer the second question as to whether PCI DSS is a legal requirement. The short answer is that PCI DSS is not a legal requirement in UK law. However, companies often overlook that credit card data is not just financial data but is personal data and comes under the Data Protection Act. When the Information Commissioner looks at a breach of card data under his personal data remit he will take account of whether the company was PCI DSS compliant.

Following the Lush breach a few years ago the ICO issued a statement “to warn online retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action from the ICO.” In the case of StaySure, attackers were able to place the malicious Javascript on the firm’s website due to vulnerabilities in unpatched software. Not only were card numbers taken but also CVC codes, the storage of which is not permitted under PCI DSS. The Information Commissioner’s Head of Enforcement noted “It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”

On the other hand, high street retailer Office escaped without a fine despite compromising details of one million customers. The ICO appear to have given credit for the fact that the data did not include financial details and Office had taken some precautionary measures.

So, to answer those two questions we are commonly asked:

The implications of non-compliance can be very substantial and the implications of a breach could be crippling

It is not a legal requirement, but you’d do well to treat it as though it was.

If you would like to know more about achieving and maintain PCI DSS compliance contact us now.