A number of clients have asked me about what sort of non-compliance fines or penalties they could potentially face as a PCI Service Provider, assuming there has been no security breach, but PCI DSS compliance has not been achieved.
Tricky subject here, but I’ll do my best to provide a clear answer… The short answer is that there really isn’t any structure currently in place to impose non-compliance fines on PCI Service Providers, at least not directly.
The only way a Service Provider would currently experience fines is if there was a data breach and one or more of their clients held that Service Provider liable based on the contract provisions in place. The card brands and banks don’t really have any direct PCI compliance enforcement mechanisms in place for Service Providers. This has to do with the way PCI compliance is enforced. The chain of enforcement is based on contractual relationships, and therefore goes from Card Brands to Acquiring Banks, to Merchants, and then to PCI Service Providers. The Card brands and banks don’t really have any direct contractual relationship with the Service Providers, other than sponsoring them for their listing on the Card Brands’ web sites.
For most Service Provider organizations, the bigger risk would probably be the business impact of losing the approved status currently enjoyed with the card brands, as listed on their web sites. If a Service Provider has never demonstrated PCI DSS compliance, then that Service Provider would not be enjoying the marketing benefits of being on the Card Brands’ lists of Validated PCI Service Providers. If a Service Provider was previously listed as compliant but falls out of compliance, and if the issues couldn’t be resolved by the annual validation date, then the Service Provider would go to a “yellow” status on the Card Brands’ list of Validated PCI Service Providers, and eventually would be dropped from the list altogether.
Hope that helps to clarify the matter somewhat.
PCI DSS Requirements
PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.
Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1
Unpacking the New PCI DSS Password Standards
Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?
What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?
What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?
The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2
How to Analyze An Attestation of Compliance (AOC)
PCI Compliance New Requirements and Targeted Risk Analysis (TRA)
RESOURCES & NEWS
Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.
The Dangers of Legacy Protocols
PCI Targeted Risk Analysis & DoCRA
https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/
HIPAA & Penetration Testing & Incident Response Plans
Top Threats in Healthcare
https://www.halock.com/top-cyber-threats-in-healthcare/
Cloud Security Risk Management
https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/
Penetration Testing Reports to Manage and Prioritize Risk
https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/
