Thursday, February 7, 2019

Is your business PCI compliant? Avoid fines for breaches!

Major breaches like TJMaxx and Target have been widely publicized in the past, but breaches at smaller businesses have received very little attention. This is mainly because information about these smaller occurrences have been very hard to come by due to two reasons.

First, not all states have disclosure laws requiring merchants to disclose breaches and secondly, card associations are not required to disclose individual cases.

According to a Wall Street Journal article, most breaches come from small businesses who are not up to date with technology or compliance laws. Here are some of the article highlights:
  • More than 80% of the credit card breaches have occurred at small businesses.
  • Visa levied $3.3 million in fines for non compliance against small businesses in just one year.
  • MasterCard did not disclose their fines.
  • Any business that accepts credit cards must agree to be PCI complaint.
Take for example the case study of Lodi Beer, a microbrewery and restaurant in California who unknowingly stored 11,728 credit card records in their point of sale system. (Track data from the credit card's magnetic strip cannot be stored according to PCI standards). When that data was breached, Visa and MasterCard fined Abanco, the restaurant's merchant account provider, $27,000. Abanco then in turn passed that fine onto the restaurant. In addition to the fines, this merchant has spent over $50,000 in remediation costs, legal fees, upgrades, etc. That is a huge amount of money for a small business. Had they been up to date with their technology, this situation could have been avoided.

Here are some interesting facts that you should know about PCI compliance standards:
  • Visa, MasterCard and the other card brands have put the responsibility  of maintaining compliance status on the processor or merchant account provider. They've successfully done this with a policy of making them responsible for paying fines when breaches occur.
  • While these processors are responsible for fines, they will almost always pass whatever they're fined onto the merchant.
  • If merchants are ultimately responsible for the fines, it is their responsibility to maintain PCI standards and stay up to date with their technology.

IES would love to help you become compliant. Give us a call at 781-816-9437 or check us out online at