Mobile app version of vmapp.org
Login or Join
Murphy175

: Is PCI compliance scrutinised? After reading the very strongly worded recommendations regarding the storage of credit card details here, I've got to wonder - what happens if a non-PCI compliant

@Murphy175

Posted in: #PciCompliance #Security

After reading the very strongly worded recommendations regarding the storage of credit card details here, I've got to wonder - what happens if a non-PCI compliant company starts storing credit card details (I'm 100% sure that there are companies out there doing this).

For example, let's say I hadn't asked my question on here and I forged ahead and just decided to store customer credit card details and used some basic AES encryption. Now what? If we never get hacked, is anyone going to ask? Will Visa, or our merchant, ever want to inspect our servers?

What are the consequences of not using PCI compliant infrastructure?

Disclaimer: I get the hint - this is a bad idea and we won't be doing it, but I'm curious

10.05% popularity Vote Up Vote Down


Login to follow query

More posts by @Murphy175

4 Comments

Sorted by latest first Latest Oldest Best

 

@Rivera981

I deal more with HIPAA/HITECH compliance than PCI/DSS directly, however, HIPAA also usually necessitates compliance with PCI/DSS. Why? You never know when medical records will contain a front and back photo copy of a credit card. More often than not, they do (sadly). This usually comes from someone just using their card to settle a co-payment. Everything just gets tossed in one folder.

Embarrassingly, when these records are 'digitized' by third parties, more often than not the resulting (unencrypted) databases contain clear copies of the CC info. Its not as bad as it was a few years ago, but its still a problem. The cause there is not carelessness, its cluelessness.

A few hospitals have already suffered from this practice, after records were stolen (physically or electronically), resulting in shopping sprees.

With any standard, a responsible company will look at the intent behind the standard and realize the problems the standard is trying to solve. This results (quite often) in exceeding the requirements of the standard. That is, if, indeed you realize that the standard applies to you :)

If you have a breach, just one breach and were dishonest about compliance (going back to your question), you will:


Never get another merchant account. Just forget about it. You may as well just close down shop, you have no way of getting paid.
Be hauled into civil court and have to pay damages
Possibly be hauled into criminal court with more serious consequences
Enjoy paying for identity protection for every effected person for years to come


If you were honest, and follow the rules about notification / etc, you will probably get out of it with a bit of a black eye, fix whatever hole was exploited and go back to business as usual. No system is, after all, 100% impervious to compromise.

You are probably correct in assuming that some companies do not follow the standard. If we assume that, we can also assume that they have been breached and just failed to report it deliberately, or perhaps (due to not complying) they did not realize the breach.

Visa / MC / Amex are very good at finding patterns, eventually they will trace a fraudulent trend back to a single vendor, and that vendor will be in quite a bit of trouble. The key here is notify them immediately in the event of a breach, which means following best practices. If they have to 'figure it out' and discover (no pun intended) that you are the common denominator, it can get quite ugly.

10% popularity Vote Up Vote Down


 

@Welton855

I worked for a company that was going through the PCI compliance process and I have to say, if you are storing credit card info and are not PCI compliant you are putting your company at risk.

You are right in that the Credit Card industry may never find out but why risk it. You have to remember, if you ever have a breach of security or a Card Vendor finds out you can lose your business and your reputation.

Many people think that because it hasn't happened yet that it won't happen in the future and that is just plain false. Having a CC Provider find out or a breach occur is a Black Swan because it only takes 1 occurrence to ruin you.

10% popularity Vote Up Vote Down


 

@Ravi8258870

Even when you assume that nobody might want to inspect your server you might fire an employee. Then that employee hates you might go to VISA and complain about your lack of following the standards.

10% popularity Vote Up Vote Down


 

@RJPawlick198

The PCI DSS 10 Common Myths (pdf) talks about fines, legal fees, and general bad things, so I think you can assume you'd be sued into oblivion if you lied on the questionnaire :)

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme