More breaches indicate it’s time to crack down on big merchant security.
|By: Gary Glover|
After the large breaches of large and well-known merchants in 2014 (Home Depot, Dairy Queen, Neiman Marcus, etc.), it’s not surprising that Visa is cracking down yet again on the security of their largest liabilities.
Most large merchants comply with PCI DSS, but this bulletin specifically addresses those who haven’t yet, or are overdue in their compliance.
Obviously Visa sees PCI DSS compliance as something that could potentially save many of their merchants from serious breaches that grace the news every day.Their plan, “places a risk-based focus on noncompliant or overdue merchants and third parties that may introduce increased risks into the payment system.”
The bulletin goes on to say that “Visa clients [merchant acquirers/merchant processors] whose merchants or service providers have not fulfilled their annual PCI DSS compliance validation requirement…may be subject to the following actions…PCI DSS noncompliance assessments [and] implementation of risk reduction measures.”
New penalties for noncomplianceVisa’s noncompliance assessments will begin January 1, 2015 for noncompliant or overdue merchants/service providers who aren’t compliant and don’t have a remediation plan.
Depending on how long it takes a merchant to complete their compliance after January 1, 2015, different penalties will start to ensue. For example, if a service provider is 91-180 days overdue, their listing on the Visa Global Registry of Service Providers will be removed. Visa will also start noncompliance assessments to the acquirer/processor of noncompliant merchants.
Now, I wasn’t sure what Visa meant by noncompliance assessments or risk reduction measures, so I did a little digging. Here’s what I found:
|Noncompliance Assessments (ID 0008193)|
Now before you assume merchants won’t see a cent of these fines, think again. Remember that acquirers have the ability to raise processing fees or noncompliance fines to cover the penalties Visa might impose upon them. In essence, these fines may be passed on to you.
Risk reduction measures
|Risk Reduction Measures (ID 0005057) - Page 1|
|Risk Reduction Measures (ID 0005057) -Page 2|
There’s a lot going on in this section of the bulletin. But the thing that stands out to me is that acquirers are prohibited to re-sign merchants that aren’t compliant. In fact, they are even required to terminate or hold funds of merchants who aren’t compliant.
What merchants should expectWhat does this new enforcement plan actually mean for noncompliant merchants and service providers? Here are some potential consequences:
- Acquirers/merchant processors may start to raise noncompliance fines (and other fees) to mitigate the chance of Visa noncompliance assessments
- Acquirers may ask you to provide your QSA name and planned PCI validation date
- If you’re a service provider, acquirers may ask you to provide a QSA engagement letter including the planned validation date
- Your acquirer could start withholding funds or terminate your contract if you are consistently noncompliant with PCI DSS
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.