5

We're working really hard to achieve PCI compliance for a project and will likely be spending hundreds of dollars each month, but I was wondering what if, god forbid, something unlikely happens and there is a breach somehow, do we still pay for the "inquiries" and the exposed card holder data although we were PCI compliant?

I'm just considering the worst case scenario, because if companies like Sony can get hacked then we're a tiny startup afterall.

Nimbuz
  • 173
  • 7
  • 1
    This is mainly a legal question, so keep in mind that nobody here can provide you with legal advice. Best option is to consult a lawyer that's familiar with the laws that apply to your country and/or state. – Polynomial Dec 17 '12 at 16:54
  • Ok, but still I wanted to know the general rule. I always wondered why the companies were fined millions although they were (I assume) PCI compliant. btw, our company is US based. – Nimbuz Dec 17 '12 at 17:07

3 Answers3

4

PCI compliance is not insurance.
It is not a real measure of protection.

I sum up the value of of PCI compliance in my well-known eponymous law, AviD's Law of Compliance:

PCI compliance reduces the risk of the penalties of non-compliance.

In other words, much like how paying taxes is a requirement but does not necessarily entitle you to any specific government benefit - you have to be compliant. And if you're not, you will have to pay a fine. But this does not necessarily help with preventing breaches or responding to them...

As I answered in Vulnerability scanning applicability for PCI DSS, compliance is not about security.
As the other answers here mentioned, you need to implement security controls and secure features aside from the compliance. If you get breached, you still have fallout from that.

However, being compliant in the event of a breach does mean that you won't be getting a non-compliance fine. (See AviD's law above...) You'll need to pay any other costs, such as damages and repair costs, but at least there won't be a fine (well, at least not from PCI - other laws and regulations may apply).

Community
  • 1
AviD
  • 72,708
  • 22
  • 137
  • 218
3

Be aware that getting QSA sign off for compliance doesn't necessarily mean you comply with PCI.

While you need to show PCI compliance, you will be better off focusing on getting your controls right, which will both protect you and put you in a good position to pass PCI.

And yes, you will still have all the expected costs if you do get hacked.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • Thats exactly what we're trying to do, but as I said, if companies like Sony with all their money, resources and expertise still can't prevent such incidents, there is a chance no matter how small that we could also be hacked. Anyhow, it seems really unfair that you spend so much time effort and money on PCI compliance and you'd still be fined if you get hacked! Would like to see an authoritative reference if possible? I couldn't find anything on the PCI website. – Nimbuz Dec 17 '12 at 17:37
  • 2
    You are mistaking resources for actually building in controls. Sony are now famous for not putting in appropriate controls. I don't know how authoritative I am but I have worked with and against QSA's in the past, for small companies and global enterprises, and believe me, you will still be fined if you leak CC details (or personal info in many countries) because of poor controls. Of course what I would like to see is QSA's held responsible... – Rory Alsop Dec 17 '12 at 17:43
  • 1
    You don't need vast resources, although small companies might be best off outsourcing the entire payment function to a reputable payment services provider. – Rory Alsop Dec 17 '12 at 17:44
  • Using a payment service provider is the easiest but not always the best solution. We *have to* store cards for a reason otherwise we wouldn't be spending time and money on this PCI mess. Not sure about others but assuming we do put in appropriate controls and are rightly PCI compliant, it would be ridiculous to still pay fines! Or are you implying that if someone is PCI compliant, that means there is absolutely NO WAY they could their security could be compromised and Sony wasn't PCI compliant? – Nimbuz Dec 17 '12 at 17:48
  • Whoops, just read your bio and now I feel stupid to have asked for an authoritative reference. :) But still, a PCI compliance still paying fines doesn't make sense at all. – Nimbuz Dec 17 '12 at 17:59
1

Yes, you do pay for those inquiries even if you were PCI Compliant. But being PCI compliant also means that you are much, much less likely to experience such a breach.

Consider stripe - then you have no credit card data on file to hack and you only have to worry about the sort of breach where a hacker gets your shopper emails and emails everyone that their card data has been compromised (when in fact it has not).

Even that will get you a fine, because you allowed the email list to be hacked and earned bad publicity for the entire PCI industry.

Your contention that getting fined 'even if I am PCI comliant' isn't fair - makes it sound like you have no real intention to engage with the real idea being discussed here - taking responsibility for making sure that card holder data is safe.

Ron Robinson
  • 936
  • 5
  • 3
  • I'd love to use Stripe, but their fee structure is not suitable for micropayments, which is deal breakers for us. As for taking responsibility to make sure data is safe, looks like I haven't been able to express myself clearly probably because english is not my primary lang.. what I mean even if do our best but there are still chances that maybe some internal person (datacenter guys, developer etc..) gets the master key file somehow. not likely but still possible, I'm just afraid of that. – Nimbuz Dec 18 '12 at 05:14
  • @Nimbuz, what about background checks, two-man rule, more personnel controls? – Deer Hunter Dec 18 '12 at 09:14
  • http://www.dwolla.com Free under $10, a flat $0.10 fee above that. – Chad Brewbaker Dec 19 '12 at 18:00