In each article we say that the PCI DSS standard requirements must be fulfilled by all companies associated with the payment card industry.
But what will happen if you don’t comply with these requirements?
In this article we will discuss in detail what consequences the non-compliance with the PCI DSS standard requirements may have.
VISA international payment system has issued a newsletter reminding companies of compliance with the Visa Cardholder Information Security Program (CISP) and Account Information Security (AIS) requirements which regulate the mandatory PCI DSS certification.
This newsletter was issued on July 31, 2014 for the special benefit of all companies that are the payment card industry participants. These are the financial institutions, service providers, retailer and service outlets, etc.
It’s very important to note the following: with this newsletter, VISA filled all payment card industry participants on the implementation of the enhanced PCI DSS Enforcement Plan effective January 1, 2015.
 What does the PCI DSS compliance plan say?
According to this plan, the financial institutions (hereinafter referred to as VISA clients), connected to VISA international payment system, effective January 1, 2015 must request the documentation from their retailer and service outlets, agents or service providers (Report on Compliance, Attestation of Compliance, Self Assessment Questionnaire or Remediation Plan) confirming that they have assessed against the PCI DSS standard requirements.
In fact, it is a confirmation that this service provider or merchant meets all the PCI DSS standard requirements. This documentation should be provided to VISA payment system.
But what will happen if the enterprises we mentioned above have not undergone the certification and do not meet the PCI DSS standard requirements?
With effect from January 1, 2015, according to VISA requirements (PCI DSS Enforcement Plan), service providers and merchants that haven’t been assessed and certified for compliance with the PCI DSS standard requirements can be sanctioned and fined.
Let’s consider in depth the sanctions which can be applied to the companies that didn’t confirm compliance with the PCI DSS standard in time.
1-60 days overdue:
The company, which is found in the Visa Global Registry of Service Providers, will be highlighted in yellow. It doesn’t apply to the service providers or merchants which require filling in a Self-Assessment Questionnaire (SAQ) D to confirm the PCI DSS compliance (self-completion of the questionnaire).
VISA clients must notify their merchants, as well as their agents or service providers, of the need to provide them with the documentation confirming that they have completed the PCI DSS certification or the Remediation Plan.
61-90 days overdue:
The company, which is found in the Visa Global Registry of Service Providers, will be highlighted in red. It doesn’t apply to the service providers or merchants which require filling in a Self-Assessment Questionnaire (SAQ) D to confirm the PCI DSS compliance (self-completion of the questionnaire).
91-180 days overdue:
The company will be removed from the Visa Global Registry of Service Providers. It doesn’t apply to the service providers or merchants which require filling in a Self-Assessment Questionnaire (SAQ) D to confirm the PCI DSS compliance (self-completion of the questionnaire).
The company must provide its Merchant Acquirer or Processing Center (VISA client) with the Remediation Plan, authenticated by the QSA Company, which has the specified time limits for undergoing the PCI DSS certification in order to stop the penal sanctions.
If such Remediation Plan was not provided to or accepted by the Merchant Acquirer or Processing Center, VISA payment system can impose monthly penal sanctions on each service provider or merchant of the Merchant Acquirer or Processing Center according to the Account Information Security (AIS) Program noncompliance fines table.
181-270 days overdue:
If the Remediation Plan was not provided to or accepted by the Merchant Acquirer or Processing Center, VISA payment system can impose monthly penal sanctions on each Visa Principal Bank client.
From 271 and more days overdue:
If the Remediation Plan was not provided to or accepted by the Merchant Acquirer or Processing Center, VISA payment system can impose monthly penal sanctions on each Visa Principal Bank client.
Pay close attention to the following: VISA payment system can implement accompanying measures, for example, risk mitigation measures related to the lack of compliance with the PCI DSS standard requirements. Such measures may include detachment from the VisaNet or disqualification of the agent.
Now let’s consider in depth the sanctions which can be applied to the companies that have never confirmed compliance with the PCI DSS standard:
0 days overdue:
VISA clients, among these are the merchant acquirers, processing centers, etc., must notify their merchants and agents that they haven’t confirmed the PCI DSS compliance in time. It’s also necessary to collect the documents confirming that the service provider or merchant has undergone the PCI DSS certification or confirming the Remediation Plan implementation in case there are non-compliances with the standard during preliminary assessment of the PCI DSS compliance.
1-30 days overdue:
Retailer and service outlets, agents or service providers must submit for approval to their merchant acquirers or processing centers the Remediation Plan, authenticated by the QSA Company, with a designated date of the PCI DSS compliance confirmation. After that approval the Remediation Plan is provided to VISA payment system. In such a way the penal sanctions can be avoided.
31-90 days overdue:
If the Remediation Plan was not provided to or accepted by the Merchant Acquirer or Processing Center, VISA payment system will impose monthly penal sanctions on each service provider or merchant according to the Account Information Security (AIS) Program noncompliance fines table.
91-180 days overdue:
If the Remediation Plan was not provided to or accepted by the Merchant Acquirer or Processing Center, VISA payment system can impose monthly penal sanctions on each Visa Principal Bank client.
181 and more days overdue:
If the Remediation Plan was not provided to or accepted by the Merchant Acquirer or Processing Center, VISA payment system can impose monthly penal sanctions on each Visa Principal Bank client.
VISA payment system can implement accompanying measures, for example, risk mitigation measures related to the lack of compliance with the PCI DSS standard requirements, detachment from the VisaNet or disqualification of the agent.
Therefore, to ensure that your company doesn’t face any VISA sanctions, it’s necessary to undergo the PCI DSS standard certification in time.
Our company is ready to assist you in meeting VISA requirements, fitting and successful undergoing the PCI DSS certification for your business.
By Oleksandr Kuberskii and Igor DemchukIT Specialist