PCI Compliance - who is responsible, host, developer or business owner?

[jschmidt]

I have recently found out that to be pci compliant, your entire server must be pci compliant, or you better not allow anyone even type in their credit card number into a page on your site - whether you are storing it or not. My question is this: If a site is deemed not pci compliant, and the site is compromised, who is liable? I ask because I hosted and developed a few sites that take cards in non-compliant ways, and have notified my customers, but they are not exactly being quick with their responses. So, am I liable or are they, for the super steep fines if something awful happens?

[social_xperiment]

You would probably be held liable as you know the standards required but didn't comply with them and still continued to process credit cards (ignorance of the law isn't a valid defence); If you informed the users of this non-compliance somehow you could argue that they knew but still used the service at own risk; problem with that is no user would use the service then

[wwb_99]

You do have indemnification clauses in your contracts, right?

Anyhow, alot matters on timing -- they changed the rules relatively recently. Also, not the PCI compliance guy, but my understanding is it is on the people who hold the merchant account (ie -- your customer) to ask and insure the standards are being enforced.

My lawyer probably would have counseled against notification, even if it is the right thing to do as it probably makes you more rather than less liable.

[ideamine]

Business owner has full responsibility , but you can request your webhost or any other solution provider.

We are providing PCI DSS compliance solutions.

[cpradio]

My question is this: If a site is deemed not pci compliant, and the site is compromised, who is liable? I ask because I hosted and developed a few sites that take cards in non-compliant ways, and have notified my customers, but they are not exactly being quick with their responses. So, am I liable or are they, for the super steep fines if something awful happens?

Couple of questions.

1) What do you mean "I hosted"? Do you own the server the websites reside on, or did you setup the client with their own host and they pay that organization and do not directly pay you?

2) Did you retain any ownership in the sites you produced? Such as the code?

If you answered "yes" to either you are physically hosting the site and/or the business pays you for hosting, or you retained rights to the code or any portion of the sites that are non-compliant, they you could be held liable if the business owner were breached and took you to court.

The business owner would have to prove your liability though through the court, which will be costly for them, so if they are a small business, the likely won't pursue such a cost, but they "could".

Typically as a future reference, it is probably better to get these answers before contacting your clients who are "at risk", simply because you may want to have worded your e-mail/letter differently or approached the problem in a different manner.

For example, your recent letter/e-mail now shows you know that you didn't abide by the PCI compliance, which will help their case in court. Granted at the time you developed it, you didn't realize it (that is a valid argument, but your letter doesn't really help you in this situation).

I'd draft a new letter, one that states something along the following.

Hi Customer (put their name here instead of Customer),

It has come to my attention that the work I provided for you previously might not be entirely PCI compliant. As you know, the government can impose fines for breaches that occur on websites that are not PCI compliant. I would like to get in touch with you to help resolve this issue in a timely manner.

Please respond by XX/XX/XXXX (put a date here) so that we can work towards an agreement to upgrade your website.

Failure to respond by the date specified above acknowledges that you do not wish to pursue PCI compiance status and removes <insert your company name here> from any liability.

Sincerely,
<your name>
<your company name>
<sign it and date it>

Keep track of when you sent each letter to each client and if they responded (this will help if you do end up in court, due to a breach).