Posted by: Leroy
I am constantly approached by clients whom are taking customer credits and asked the following question “Why do we need to be PCI compliant?. No one is asking us to”.
Now the obvious answer to that question is, “Because you are taking customer credit cards”. However, because the Merchant Bank or Card Brands have not asked the client to show or otherwise prove PCI compliance and it is not a federal regulation such as HIPAA, SOX, or GLBA, they feel they are not responsible for PCI compliance. Many times you will see this type of response in Level 3 and 4 merchants.
So correct, PCI is not a Federal Regulation such as HIPAA, SOX, or GLBA. Federal Regulators will not be knocking on the doors of Level 3 and 4 merchants to perform formal PCI Audits. PCI is however, a contractual obligation which is put in place with the merchant and merchant bank. I would almost guarantee that if any of the merchants actually reviewed the contract put in place with the merchant bank, PCI verbiage is stated within. In addition, certain states have now put PCI verbiage within state legislation. Nevada has a state law which reads:
“data collectors who are doing business in Nevada and who accept credit cards or other payment cards for the sale of goods or services to comply with the current version of the PCI DSS.”
Three other states have also amended or created state law which has PCI verbiage. Actual requirements for organization operating within those states are less strict than that of Nevada.
Finally, even if your organization is not obligated to be PCI compliant by either of the above methods, the FTC has a catch all with regards to improperly protecting sensitive customer information. Section 5 of the FTC Act which is around “unfair and deceptive trade practices”, can be used against organizations that have been breached and it can be proven that they organization was willfully neglectful in protecting that information. I would say, that it should be pretty easy to prove willful neglect if a company chooses not to protect cardholder data when PCI has been around since 2006.
In summary, it’s safe to assume that if you are taking cardholder information, you are responsible for the protection and security of it. Not to mention, just from an overall reputation and best practice standpoint it makes sense. Business owners need to start putting themselves in the shoes of end users. How would they like if it someone chose to take their sensitive information and did so in an insecure fashion.