May 30 2008
Alan is continuing the conversation about the firing at TJX and reporting Payment Card Industries ‘violations’ to someone. I want to pause the conversation for a moment to clear up a few misconceptions.
The PCI Security Council has no power to fine and is only responsible maintaining the PCI Data Security Standards and administrating the assessment process. They set the standards and keep track of who’s compliant (or not). That’s about it. They have a lot of power to influence the security industry. They have complete control over the assessment process. But what the PCI Security Standards Council does not have is a direct means to fine a company for not being compliant. There is almost no direct relationship between the PCI Council and the businesses taking credit cards.
The credit card companies never fines a merchant directly, since their relationship is with the acquiring bank, not the merchant. In simplest terms, acquiring bank takes the credit card information from the merchant and gives the merchant his money, minus a small fee. The acquiring bank, the PCI Council and the credit card companies all have direct relationships. Only the acquiring bank has a relationship with the merchant. The credit card companies can fine an acquiring bank, but don’t fine a merchant directly. Though that cost is usually passed through to the merchant in some form.
If a merchant suffers a compromise or is non-compliant, the acquiring has several punitive options, including raising the per transaction fee or levying a fine. Most merchant would rather receive a fine than raised fees; for medium and large businesses the fine would be much less painful than a .25% raise in their per transaction fees. .25% of several hundred million dollars is still a lot of money. The acquiring bank can also choose to absorb the loss.
The acquiring bank has the power to make a company hurt if they’re not compliant or suffer a compromise, the ‘teeth’ Alan’s looking for. There isn’t much direct evidence of how much the acquiring banks are fining companies and what we saw happen with the first TJX incident wasn’t inspiring. Visa fined the acquiring bank $880,000 which will likely be passed along in one form or another. But we, the public, don’t know the specifics of what TJX was fined because there is no reporting requirement. Even working in the industry, all I know of the fines is from the press.
The bottom line is, the PCI process has teeth. They’re being used quietly by the acquiring bank as part of the business processes. It’s a monetary issue from start to finish, there are no legal requirements. Would I like to know what the fines being levied against companies are? Yes, and I’d like to have enough information to understand the effectiveness of the PCI Standards. But there’s no fiscal incentive for any of the parties involved to disclose fine information to the public, so don’t expect to see it any time soon. Just because we don’t see the teeth doesn’t mean they’re not their though.
And as far as I can tell, there’s no way for the public to get in touch directly with the acquiring banks.