By Bob Goldberg, RSPA General Counsel
A merchant's ignorance concerning PCI compliance won't prevent damaging fines and other negative penalties.
Every consumer receives multiple credit card offers each week. The card companies have hooked the public on the ease of credit card purchases. The demand for credit/debit card purchases exists, making both consumers and card issuers content. Banks and payment processors have shared in the frenzy and found profitable niches. It's merchants and retail technology providers who are left as the vulnerable parties when a data breach occurs in an imperfect system.
Card companies have developed a payment system, but at the same time created a council to determine the responsibilities for the integrity of that payment system. The Payment Card Industry (PCI) Data Security Standard (DSS) are mandatory requirements for any party utilizing the payment process system. In fact, although these requirements are not law, (three states — Minnesota, Nevada, Washington — have made them legal requirements) failure to comply may lead to a merchant's failure in the event of a data breach.
As General Counsel to the Retail Solutions Providers Association, calls of distress come all too often. Typically, the inquiry comes from a solutions provider and, at times, the merchant joins in the inquiry. "It appears there has been a breach of credit card data at my establishment. What should I do?" There are numerous courses to follow when it is alleged a breach has occurred.