If a company needs to be PCI compliant, are there any fines levied on them if they don't do penetration or vulnerability testing? If yes, is it an automatic fine, or is it only if they are caught?
Asked
Active
Viewed 203 times
0
-
2I fail to see how a company could *possibly* be fined without getting caught. – cpast May 13 '15 at 17:17
-
@cpast they may have to provide proof every quarter that they were tested or they are charged a 'tax' – pzirkind May 13 '15 at 17:17
-
And that proof is subject to an audit. – armani May 13 '15 at 19:15
3 Answers
5
If you don't provide documentation of your compliance (either an SAQ or your AoC and RoC) to your processor/acquirer, they stop processing transactions for you, which is sort of like a fine in that you start losing money and customers.
To quote the overview to the PCI DSS Self-Assessment Questionnaire (SAQ),
you may be required to share [your SAQ] with your acquiring bank. Please consult your acquirer for details regarding your particular PCI DSS validation requirements.
DSS requirements 11.3.1 and 11.3.2 require pentests, and according to this article that impacts anyone with SAQ A-EP, C, D-MER, and D-SP.
gowenfawr
- 71,975
- 17
- 161
- 198
1
If you are in a position whereby you can self-assess, you could lie an respond that all requirements are fully in place. Typically, your acquirer will request a copy of your SAQ and the signed Attestation of Compliance. It is unlikely that additional evidence will be required. A self-assessment is just that; an internal review of your own processes and compliance to the applicable requirements within the standard without a need to provide audit-based evidence to a third party.
Self-assessing and stating that requirements are in place when they are not will provide no security to yourself or to your customers and will render you more vulnerable to a breach. If you are reviewed by a third party at any time, your lack of compliance will be rather evident. Sooner or later, a lack of security will cost the business more than creating and managing a secure environment.
AndyMac
- 3,149
- 12
- 21
1
Yes, in certain situations.
https://www.pcicomplianceguide.org/pci-faqs-2/#11
Q: Do I need vulnerability scanning to validate compliance?
A: If you qualify for certain Self-Assessment Questionnaires (SAQs) or you electronically store cardholder data post authorization, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required to maintain compliance.
This establishes the circumstances where vulnerability scanning is required for compliance.
Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant.
This shows the penalties for noncompliance. Is it a mandatory fine? Maybe, maybe not. But it exists.
