I have had many questions on the topic of compliance for Level II PCI Merchants that are transitioning from a SAQ to an On-site audit with a Report on Compliance (ROC). Many are concerned with the prospect that they are non-compliant with many of the controls and want to know what they should do and what risks they face.
The answer will depend on the merchant’s acquirer/processor (Chase, Fifth Third, etc) and their contract. Should the merchant find they are non-compliant, they will want to report their status to the acquirer. The acquirer will want to see a plan for how and when the merchant is going to remediate. They will be managed with regular touch points on progress. The acquirer will agree to a remediation date with the merchant. Beyond that date is usually increased contact and monthly fines, or the ability to process credit cards is terminated. Here is the latest on Mastercard’s fines:
The bigger risk is not having safe harbor protection while remediating. Should the merchant experience a breach and they are not compliant, they may be held responsible for the fraud on the cards and the re-issuing of cards from the card issuers. The contract language with the acquiring bank will spell out some of the liabilities. Many of the acquirers have been updating the contract language to have stronger language on compliance the liability. Another scenario is being shut off from the ability to process credit cards from that acquirer and the inability to get a new acquirer because they all require PCI compliance.
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor