A number of clients have asked me about what sort of non-compliance fines or penalties they could potentially face as a PCI Service Provider, assuming there has been no security breach, but PCI DSS compliance has not been achieved.
Tricky subject here, but I’ll do my best to provide a clear answer… The short answer is that there really isn’t any structure currently in place to impose non-compliance fines on PCI Service Providers, at least not directly.
The only way a Service Provider would currently experience fines is if there was a data breach and one or more of their clients held that Service Provider liable based on the contract provisions in place. The card brands and banks don’t really have any direct PCI compliance enforcement mechanisms in place for Service Providers. This has to do with the way PCI compliance is enforced. The chain of enforcement is based on contractual relationships, and therefore goes from Card Brands to Acquiring Banks, to Merchants, and then to PCI Service Providers. The Card brands and banks don’t really have any direct contractual relationship with the Service Providers, other than sponsoring them for their listing on the Card Brands’ web sites.
For most Service Provider organizations, the bigger risk would probably be the business impact of losing the approved status currently enjoyed with the card brands, as listed on their web sites. If a Service Provider has never demonstrated PCI DSS compliance, then that Service Provider would not be enjoying the marketing benefits of being on the Card Brands’ lists of Validated PCI Service Providers. If a Service Provider was previously listed as compliant but falls out of compliance, and if the issues couldn’t be resolved by the annual validation date, then the Service Provider would go to a “yellow” status on the Card Brands’ list of Validated PCI Service Providers, and eventually would be dropped from the list altogether.
Hope that helps to clarify the matter somewhat.