More breaches indicate it’s time to crack down on big merchant security.

Gary Glover, Director of Security Assessments
By: Gary Glover
Visa released a bulletin in October announcing their PCI DSS validation enforcement plan for merchants and service providers.

After the large breaches of large and well-known merchants in 2014 (Home Depot, Dairy Queen, Neiman Marcus, etc.), it’s not surprising that Visa is cracking down yet again on the security of their largest liabilities.

Most large merchants comply with PCI DSS, but this bulletin specifically addresses those who haven’t yet, or are overdue in their compliance.
Obviously Visa sees PCI DSS compliance as something that could potentially save many of their merchants from serious breaches that grace the news every day.
Their plan, “places a risk-based focus on noncompliant or overdue merchants and third parties that may introduce increased risks into the payment system.”

The bulletin goes on to say that “Visa clients [merchant acquirers/merchant processors] whose merchants or service providers have not fulfilled their annual PCI DSS compliance validation requirement…may be subject to the following actions…PCI DSS noncompliance assessments [and] implementation of risk reduction measures.”

New penalties for noncompliance

Visa’s noncompliance assessments will begin January 1, 2015 for noncompliant or overdue merchants/service providers who aren’t compliant and don’t have a remediation plan.

Depending on how long it takes a merchant to complete their compliance after January 1, 2015, different penalties will start to ensue. For example, if a service provider is 91-180 days overdue, their listing on the Visa Global Registry of Service Providers will be removed. Visa will also start noncompliance assessments to the acquirer/processor of noncompliant merchants.

Now, I wasn’t sure what Visa meant by noncompliance assessments or risk reduction measures, so I did a little digging. Here’s what I found:

Noncompliance assessments

Noncompliance Assessments (ID 0008193)
In this table found in another Visa document, it looks like acquirers/processors could be fined upwards of $200,000 for their merchants who continuously fail to provide PCI DSS compliance documentation or remediation plans. A monthly deadline is then established for validation. Each missed monthly deadline is considered another violation and would result in another non-compliance assessment against the client.

Now before you assume merchants won’t see a cent of these fines, think again. Remember that acquirers have the ability to raise processing fees or noncompliance fines to cover the penalties Visa might impose upon them. In essence, these fines may be passed on to you.

Risk reduction measures

Risk Reduction Measures (ID 0005057) - Page 1
Risk Reduction Measures (ID 0005057) -Page 2

There’s a lot going on in this section of the bulletin. But the thing that stands out to me is that acquirers are prohibited to re-sign merchants that aren’t compliant. In fact, they are even required to terminate or hold funds of merchants who aren’t compliant.

What merchants should expect

What does this new enforcement plan actually mean for noncompliant merchants and service providers? Here are some potential consequences:
  • Acquirers/merchant processors may start to raise noncompliance fines (and other fees) to mitigate the chance of Visa noncompliance assessments
  • Acquirers may ask you to provide your QSA name and planned PCI validation date
  • If you’re a service provider, acquirers may ask you to provide a QSA engagement letter including the planned validation date
  • Your acquirer could start withholding funds or terminate your contract if you are consistently noncompliant with PCI DSS
I’m interested to see how Visa’s PCI DSS enforcement plan will pan out in 2015. Will we see an uptick in PCI compliance among Level 1 and 2 merchants and service providers? Will we see an increase in merchant fines? Will this enforcement plan spur a similar enforcement upon Level 3 and 4 merchants in the future? What do you think will happen?

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.