PCI Compliance: How To Be Fine, Not Fined

With the frequency of hacking and data breaches, does the thought of PCI Compliance make you squirm or maybe a little bit uneasy at times? A must read article from Forbes Brand Voice, Jeremy Lacy, that just might help put your mind to rest.



If you’re in a medium to large firm, you may be concerned about all the hacks and security breaches that have been plastered across the press in recent months. In fact, I wouldn’t be surprised if at some point your CEO or Risk Manager called a meeting to put the spotlight on Payment Card Industry (PCI) compliance: “Are we compliant? Are we secure? Are we going to get fined? Are we next in line for a bad headline?”

I work with PCI compliance every day and I am very, very tired of the “scare tactics” used by the press. Sure, if your company relies on credit card transactions, you will get fined if you fail to be PCI compliant. But the good news is, you can be fine when it comes to PCI compliance. Here’s how.

Understand the PCI Hierarchy

When it comes to PCI, it’s easy to be afraid that “Big Brother” (nameless and faceless, but somehow omniscient) is watching you and waiting for you to screw up so he can hit you over the head. Not so. There is a practical and functional hierarchy in place.

At the top, there are the credit card payment brands such as Visa V -0.47%, MasterCard MA -0.43%, Discover, and Amex. They created the standards for PCI compliance in the first place. Below them are the acquiring banks or “acquirers.” An acquirer manages the process involving the merchant’s credit card transactions (some acquirers process the transactions themselves, some have another entity perform the transaction processing). At the bottom are the merchants. These are the stores and companies who function on credit and debit transactions.

Recognize How PCI Fines Work

Here’s a critical and often overlooked fact: if a merchant has a PCI compliance problem, it is their acquiring bank who gets fined by payment card brands. As far as the payment card brands are concerned, the acquirer is ultimately responsible for PCI compliance for the merchants they oversee. That being said, if an acquirer gets fined because a merchant is not compliant, chances are very good they are going to turn around and fine the merchant the full amount, plus a bit more for pain and aggravation.

The PCI compliance risk is shared by the merchant and the acquirer, which means it is the best interest of BOTH entities to work together to ensure full PCI compliance.

Get to Know Your Acquirer

PCI compliance is now taking shape and form. It’s not nebulous. At the core, PCI compliance is about working hand-in-glove with the people at your acquirer. People who have names and faces. People who want you to be compliant and are typically glad to help you achieve that status. To put it simply, if all of an acquirer’s merchants are fully PCI compliant, the acquirer is making money with no fear of fines.

Remain PCI compliant and avoid fines by following these practices, like using a QSA to ensure your business is adhering to regulations.
Remain PCI compliant and avoid fines by following these practices, like using a QSA to ensure your business is adhering to regulations.

So get to know the folks at your acquirer. Open the lines of communication. Initiate a healthy dialogue. Find out if they have specific requirements or areas of concern. When you add relationship to the regulations in PCI compliance, it makes everything a whole lot more palatable (for everyone involved).

Take Advantage of a Go-Between

Qualified security assessors, or QSAs, can really help your PCI compliance turn out just fine. They act as a valued link between you and your acquirer. As a QSA, the banks know that I am a PCI expert – not only on the PCI regulations, but also on how to interpret and implement the controls in a real world way, working to bring my merchant clients up to par. Since the acquirers are the ones initially on the line if anything goes wrong, they are always willing to dialogue with me. In turn, I can help interpret any special twists or turns a bank may have for my clients, making PCI compliance a more straightforward process.

Leverage a Team TISI -0.66% Approach

Hopefully, by now you can see that PCI compliance is really about teamwork. It’s about you, your acquirer, and your QSA working together to make sure there are no hiccups along the way.

A team approach means you can be proactive about compliance, which is much more preferable than being reactive. For instance, in cases of noncompliant items for a merchant, I will help the merchant create a remediation plan to help them strengthen their PCI compliance and become fully compliant in a specified time frame. Then I put target dates on each remediation item, and that plan goes to the acquirer for review. The acquirer will follow up with my client to make sure everything is accomplished in accordance with the remediation plan.

“Yes, I’m fine!”

It’s time to stop being scared about PCI compliance and the vague threat of “fines.” By following the best practices above, you will be able to say, “PCI compliance? No worries – I’m fine!”


Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>