MasterCard Becomes The First Card Brand To Publish PCI Fines

Written by Evan Schuman
August 6th, 2009

MasterCard has become the first card brand to publish its PCI fines and related requirements, a move that could be the latest signal that MasterCard wants to step out of the PCI shadow of its larger rival, Visa. The dollars themselves do not reflect a radical change, although they do include some healthy increases.

“The noncompliance assessment structure now contains escalating assessments per violation within a calendar year,” said the document sent to members earlier this summer. “Maximum assessments for initial noncompliance for Level 2 and Level 3 merchants have increased to $25,000 and $10,000, respectively. Furthermore, the $500,000 annual aggregate maximum for acquirer noncompliance assessments related to program noncompliance has been discontinued.”

As for those escalations, MasterCard has grouped Levels 1 and 2 together. The first violation for those groups is $25K, jumps to $50K for the second violation, $100K for the third violation and $200K for the fourth. Level 3 retailers face first through fourth violation fines of $10K, $20K, $40K and $80K. Service providers that are ranked either Level 1 or Level 2 will see first through fourth violation fines of $25K, $50K, $100K and $200K.

Terri Quinn-Andry, Cisco’s senior manager of PCI, said that she applauds MasterCard’s new found openness and said that she hopes the new fines will be effective. But does she truly think it will have an impact? “I think if they truly enforce the fine structure, that will make a difference,” she said. “Of course, we won’t know that until 2011.”

The document also confirmed reports of slightly more stringent rules for on-site assessments. “All Level 1 merchants that have engaged an internal auditor before 15 June 2009 must validate compliance with the PCI DSS via an annual onsite assessment conducted by a PCI SSC certified QSA by 31 December 2010,” the document said. “Effective 31 December 2010, all Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified QSA.”

The level 1 requirement had been merely that merchants’ internal auditor could perform the assessment.


11 Comments | Read MasterCard Becomes The First Card Brand To Publish PCI Fines

  1. James Reinhard Says:

    I do not understand why an organization’s internal audit department cannot perform the assessment? Is it an independence issue? Is it a qualifications issue?

  2. Sean McDermott Says:

    James – it is both and more.
    First, companies should be applying even more stringent security requirements than those required by PCI. They don’t – and the fact is they will always apply the lowest set of standards they can get away with because securing data costs money.
    Secondly, it would be a conflict of interest to have a company performing it’s own security assesment. IMO, the SAQ is one of PCI’s greatest faults.
    And lastly, the food industry has shown how well self-examination and certification programs work.

  3. Jason Says:

    Well said Sean, you hit the nail on the head.

  4. Chuck Williams Says:

    Notwithstanding the need for independent “3rd party” assessments, I find the interpretation of many of the PCI DSS requirements to be subjective depending on which QSA is rendering an opinion. In many cases we’ve received a favourable opinion from one QSA and a contradictory opinion from another. The merchant is left pondering the futility of it all.

  5. Bryan Johnson Says:

    Despite the sensibility of PCI standards normalization across card brands, it seems that most can’t resist maintaining something unique. Which, in the end, complicates matters.

    I also agree with Terri Quinn-Andry, it’s nice to see some openness from MasterCard.

  6. Steve Davies Says:

    In many other professions, medical, legal and professional engineering to name a few, second opinions and differences of opinions are the norm. The folks at the PCI Security Standards Council insist that each Qualified Security Assessor weigh the exact circumstances and render their own opinion. I think this is exactly the way it should be. Only the QSA has enough information at hand to render an opinion. Of course, just like doctors and lawyers, QSAs are human and have different interpretations of the same information. In the end, I think merchants benefit from this. There is more than one secure (and many insecure) implementation in most cases and this affords the merchant greater flexibility.

  7. Gareth Says:

    @steve –

    Unlike doctors, lawyers and legal professionals there are no enforced minimum standards of education and training for QSA’s. 2 days “training” and an open book exam does not equate to a professional opinion.

    The supposed 5 years previous experience is not checked out by anybody. No previous audit experience or qualification is required. Your securty experience could have been doing literally anyting – I know an AV analyst of 3 years experience who is now a QSA.

    The scheme is absolute junk for that reasons and more..

  8. Jeff Wilder Says:

    As a QSA, with numerous years in audit and security experience , I can speak from a position of authority on this subject. What I find difficult is that the card brands provide all the data in clear text to begin with and then put the onus of responsibility to protect it on the same person who is selling you the ice cream. If the card brands truly wish to protect their data, then they should change to architecture which the card processing is built on (via strong encryption, salted hash value, one time card numbers, etc) …. And own the process of protecting the data themselves, rather than relying on the shoe, clothing store or local restaurant. Lets not forget who actually owns the data here… its not the merchant or service provider. The card brands need to take ownership.

  9. Jim Bagozzi Says:

    I certainly support the standards approach and the attempt from the industry to self-regulate. Unfortunately, the ‘bad guys’ always seem to be one step ahead. Matter of point: the major breaches that have hit the press over the past few years have been attacks on ‘PCI Certified / Compliant’ organizations.

  10. Bob Smith Says:

    I agree with Jeff Wilder. The current system is fundamentally flawed. It is based on the idea of keeping a plain text number secret; a number which you must share with everyone you do business with. In a typically e-commerce transaction, the card data could be stolen by a virus/keylogger on the consumers computer, a packet sniffer on a compromised network, from a compromised web server, from a compromised card processor, from a compromised internal system at the merchant, by a dishonest employee, etc. The idea that PCI compliance will change anything is unrealistic.

    The card companies are deflecting the responsibilty to the merchants instead of fixing the problem. The system needs to be changed.

  11. Eric Jernigan Says:

    I don’t understand how you can do a risk assessment involving PCI unless fines are published and transparent. I have been relying on the word of QSAs to get this information but that is a BS way to get this basic kind of information.

    ALL fines and sanctions regarding PCI noncompliance/breach need to be on the site- PERIOD


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.