Question 1:
Let’s say that you are a small merchant and are “very close” to being PCI compliant. You don’t store credit card numbers. You definitely pass the merchant bank’s requirements for compliance, but there are a couple vague items in the PCI DSS self-addressed questionnaire that you don’t adhere to quite perfectly, but you’ve definitely tried. Let’s then say that you’ve somehow gotten a security breach and now VISA is auditing you.
I am well aware that you are responsible for the fraudulent charges on the cards that have been compromised, as well as all associated costs in repairing the damage.
My question is about the fines… in your opinion, or based on anecdote, will VISA fine you out of business? Or will they assess “how far” in the wrong you are and fine you accordingly? The only thing I know about their fines is that they “could be up to $500,000”.
Question 2:
Have you heard of the July 1 rule? Many informed people believe that on July 1st whatever software you use that touches credit card information (shopping cart software included) must not only be PCI compliant, it must be PCI validated. This means that it must appear on this list:
https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html
this rule is stated here on the official PCI site http://www.pcicomplianceguide.org/pcifaqs.php
“ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010”
however it’s Visa that is going to audit you, not the PCI. And Visa is a huge part of the PCI, and explicitly states that it adopts the PCI-DSS in lieu of their own pre-existing rules. And on their site (http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html) they say:
“While the use of PA-DSS validated payment applications is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications. Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.”
these two statements seem to be in direct conflict of each other. My question to you is wtf is going on with this rule?
thanks for reading.