May 30 2008

Look to the acquiring banks, not the PCI Security Council

Published by at 11:12 pm under PCI

Alan is continuing the conversation about the firing at TJX and reporting Payment Card Industries ‘violations’ to someone. I want to pause the conversation for a moment to clear up a few misconceptions.

The PCI Security Council has no power to fine and is only responsible maintaining the PCI Data Security Standards and administrating the assessment process. They set the standards and keep track of who’s compliant (or not). That’s about it. They have a lot of power to influence the security industry. They have complete control over the assessment process. But what the PCI Security Standards Council does not have is a direct means to fine a company for not being compliant. There is almost no direct relationship between the PCI Council and the businesses taking credit cards.

The credit card companies never fines a merchant directly, since their relationship is with the acquiring bank, not the merchant. In simplest terms, acquiring bank takes the credit card information from the merchant and gives the merchant his money, minus a small fee. The acquiring bank, the PCI Council and the credit card companies all have direct relationships. Only the acquiring bank has a relationship with the merchant. The credit card companies can fine an acquiring bank, but don’t fine a merchant directly. Though that cost is usually passed through to the merchant in some form.

If a merchant suffers a compromise or is non-compliant, the acquiring has several punitive options, including raising the per transaction fee or levying a fine. Most merchant would rather receive a fine than raised fees; for medium and large businesses the fine would be much less painful than a .25% raise in their per transaction fees. .25% of several hundred million dollars is still a lot of money. The acquiring bank can also choose to absorb the loss.

The acquiring bank has the power to make a company hurt if they’re not compliant or suffer a compromise, the ‘teeth’ Alan’s looking for. There isn’t much direct evidence of how much the acquiring banks are fining companies and what we saw happen with the first TJX incident wasn’t inspiring. Visa fined the acquiring bank $880,000 which will likely be passed along in one form or another. But we, the public, don’t know the specifics of what TJX was fined because there is no reporting requirement. Even working in the industry, all I know of the fines is from the press.

The bottom line is, the PCI process has teeth. They’re being used quietly by the acquiring bank as part of the business processes. It’s a monetary issue from start to finish, there are no legal requirements. Would I like to know what the fines being levied against companies are? Yes, and I’d like to have enough information to understand the effectiveness of the PCI Standards. But there’s no fiscal incentive for any of the parties involved to disclose fine information to the public, so don’t expect to see it any time soon. Just because we don’t see the teeth doesn’t mean they’re not their though.

And as far as I can tell, there’s no way for the public to get in touch directly with the acquiring banks.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “Look to the acquiring banks, not the PCI Security Council”

  1. Chrison 31 May 2008 at 9:06 am

    Do the banks share information with one another concerning their fines/fees? It smells like an anti-trust violation if they do, but if they do not, why wouldn’t a merchant switch acquirers when faced with a large enough fine or a fee increase? Do merchants have to disclose their loss/breach history to acquirers? If not, you have a situation akin to being able to switch auto-insurance companies right after you get in an accident. I note that insurance companies can and do share data to prevent this strategy from succeeding.

  2. Mikeon 29 Jun 2008 at 2:47 pm

    Martin, I am happy you’re educating others about the roles and responsibilities of the PCI SSC and the card brands. It’s important that people understand who sets the standards and who enforces them.

    One point of clarification, Visa and MasterCard will never fine merchants directly because they work through their Members (Issuing and Acquiring banks), but the other card brands: American Express, Discover, and JCB go either way. Another words, AmEx, Discover, and JCB can act as the issuer and acquirer – which would be able to fine merchants directly.

  3. […] Martin McKeay aptly noted, we must first understand who is in charge of what before asking questions or making […]

%d bloggers like this: