I recently read about a company that decided to postpone becoming PCI compliant. Banks and credit unions are insured...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
for customer losses by government agencies, and the card brands only levy fines if they are responsible for costs incurred after a breach (i.e., losses by customers and merchants). Plus, PCI compliance may have little bearing on keeping customers after a breach. In light of all this, are there scenarios in which it makes sense to postpone PCI DSS compliance, or is PCI DSS compliance required?
I agree with one sentiment in your question: PCI compliance has little bearing on keeping customers after a breach. The general public is simply not aware that the PCI DSS requirements exist, so when there is a breach, people are more concerned that the merchant they trusted lost their sensitive information. The recent Target breach is a perfect illustration of this. An assessor may have deemed Target Corp. fully PCI DSS compliant, but the retailer was nevertheless compromised and subsequently taken to task in the public square.
Organizations should not, however, view PCI DSS compliance as optional. When you enter into a merchant agreement with an acquiring bank, you explicitly agree to follow the PCI requirements and are legally bound to do so. PCI DSS compliance is therefore mandatory. The statement that "card brands only levy fines … after a breach" is incorrect. PCI DSS fines can be, and are, levied on merchants that are not PCI DSS compliant, even where a breach has not occurred.
That said, if you are not currently PCI DSS compliant, you probably can't wave a magic wand and immediately become compliant. You should be up front with your bank about your current compliance status and work with them on a prioritized approach to achieving compliance. As long are you are making progress, the bank should be accommodating. If it's not, it might be time to find a new bank.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case...continue reading
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple ...continue reading
Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.