How to Report a PCI DSS Violation

The PCI DSS (Payment Card Industry Data Security Standard) covers data protection rules that all merchants handling payment card account data must comply with. Failure to comply with its rules not only puts customers at risk of fraud, but also leaves non-compliant firms at risk of data breaches, fines or penalties, and reputational damage. This blog will address common PCI DSS violations, how to report a PCI DSS Violation and the consequences of non-compliance. We show you how you can avoid fines, penalties, and any knock-on damage from failing to comply.

When working with third parties and service providers, it’s also vital to report any PCI DSS violations you notice. Any company you work with that’s failing to take its own data security responsibilities seriously is putting you and your customers at risk, too. You have a duty of care to your buyers to ensure the suppliers and partners you work with follow their PCI DSS obligations.

 

Common PCI DSS Violations

Some of the most common PCI DSS compliance violations include storing unprotected cardholder data, failing to encrypt data in transit and running poor security testing. Poor monitoring standards, using unprotected devices, failing to secure data physically and running outdated systems or software are also violations.

Think you might need to report a PCI DCSS violation? Here’s a deeper dive into these common red flags.

 

Storing Unprotected Primary Account Numbers (PAN)

No merchants should ever store cardholder data unless it’s absolutely necessary to do so.  But be aware that, even if you don’t store cardholder data PCI DSS still applies.

In the event that this information is stored electronically, PAN should be carefully encrypted, hashed, or truncated so that it cannot be used if stolen or intercepted. There should be robust mechanisms in place to ensure that not only is all stored cardholder data properly rendered unreadable. It must also be securely deleted when it is no longer needed.

Evidence of cleartext PAN is a clear sign that a company has violated one of the most important measures of PCI DSS. Without any measures to render stored cardholder data unreadable, cardholder information is easy for cybercriminals to fraudulently misuse or to sell on the black market.

 

Failing to Encrypt Data in Transit

Cardholder data must be not only be secured at rest (e.g. encrypted) but also on the move across open, public networks. Failing to implement strong cryptography and security protocols to encrypt PAN while being transmitted (e.g., through an online store). This puts it at risk of being intercepted and used by on-path attackers, who can eavesdrop on communications.

One of the most effective ways to spot a company that fails to encrypt data in transit is to look at their website’s protocol at the start of their URL. If they use “HTTP” rather than “HTTPS”. If an organisation are running an insecure, unencrypted website, data can be stolen. In most cases, modern internet browsers warn you if you are accessing insecure websites, with many even preventing you from browsing any further.

Companies also need to make sure encryption is turned on for all wireless networks.  There are different forms of wireless encryption. Make sure to avoid using deprecated or weak security protocols with known flaws and instead rely on the Wi-Fi Protected Access II (WPA2) version (or even WPA3 if your wireless routers and devices support it).

 

Running Poor Security Testing and Monitoring Standards

PCI DSS, and frameworks such as NIST and ISO 27001, help firms to set up security protocols that ensure any payment card account data handled is protected at every step of payment processing.

A company failing to follow these standards keeps poor quality logs (if at all), responds slowly to security alerts and breaches, offers little support and reassurance in the event of a breach, and has no regular testing calendar set up across the year to detect vulnerabilities. The worst offenders may not even have security awareness training for their teams and may not have incident response plans to refer to. These are key cybersecurity activities that are a must.

 

Using Unprotected Devices

Devices such as wireless routers are prime targets for hackers and cybercriminals, largely because they are easy to overlook. when it comes to basic security. They are frequently “advertised” to the public. In the worst cases, people outside a company’s building could still access an unsecured corporate network.

A wireless router that you can access without a security key (e.g., through WPS) is a glaring example of an unportected device. Discoverable, unsecured devices are red flags; exploitable weak points.  Some PCI DSS offenders may leave their hardware insecure by continuing to use default admin and password settings and failing to update firmware when needed. Firmware updates are crucial for addressing device weaknesses and bugs, patching hardware against these vulnerabilities, and ensuring devices work in line with the latest and strongest security protocols.

 

Failing to Secure Data Physically

It’s a common misconception that once data is secured digitally, it is completely safe. But what about physical security?

Companies breaching PCI DSS might have inadequate on-site locking and access control systems to safeguard the data they handle. They may have on-site servers that are easy to access without ID checks, and their personnel may even leave their devices unlocked, or take sensitive data out of the office without reproach.

It’s vital that firms both physically and digitally secure systems in their cardholder data environment as well as the cardholder data (if they must store it), ensuring neither systems nor data can be accessed by unauthorised persons, and that personnel are regularly trained on security best practices.

 

Running Outdated Systems and Software

Outdated systems and software are at high risk from cybercriminals who exploit flaws. From running obsolete software and operating systems to avoiding installing firmware on networked devices, this negligence can leave common, known vulnerabilities open for cybercriminals to find and exploit.  The technical barrier to entry for cybercriminals is surprisingly low.  Many attackers rely on readily available tools and scripts and even those with limited technical ability can now make use of AI-driven cyberattacks.

 

Steps to Report a PCI DSS Violation

You should initially attempt to address your concerns with the potential offender. However, in the event of no support or communication from them, you may be able to report the compliance violation to their card payment processor or acquiring bank or direct to the card brands, such as Visa or Mastercard.

Here’s a quick breakdown of how to report a PCI DSS violation:

1. Take note of the potential compliance violations and any evidence you have to suggest the company might be at fault.
2. Approach the company you believe has violated PCI DSS and share evidence where appropriate. Give the firm an opportunity to respond and to redress the issue themselves, this is a chance for the potential offender to avoid penalties and any further damage.
3. If you receive no further contact from the company, or they are uncooperative, you can proceed to reporting them to their card processor. You may be able to identify their processor at the point of sale, perhaps the processor’s name is displayed on screen on the POS terminal.  Or during online payments checkout, if your browser is redirected to the processor’s hosted payment page.
4. If the processor is unknown, inform the brands of the payment cards handled.  For example, they might handle Visa, Mastercard, or American Express. If you are reporting as a consumer, report your concerns to your card issuer.
5. Contact the processor and/or card brand online (e.g., using the appropriate Visa regional contact details) and supply as much detail as possible. If you believe your own data may have been compromised, you should also contact your bank or issuer to cancel your current card and request a new card to be dispatched.
6. The payment processor / card brand will then conduct an investigation privately.

 

Potential Consequences of PCI Non-Compliance

Failing to comply with PCI DSS can lead to merchants facing fines, increased transaction fees, legal and reputational damage, payment processing restrictions, increased auditing, and increased risk of cybersecurity attacks.

 

Let’s break each of these consequences down.

Increased Risk of Cybersecurity attacks

Failing to adhere to the PCI DSS puts companies at greater risk from cybersecurity attacks. This is why it is essential to report a PCI DSS violation.  Attackers exploit weaknesses in cardholder data environments to gain unauthorised access to payment card account data.  The policies, procedures and security measures expected by the PCI DSS serve to protect account data and the CDE, helping businesses prevent, detect and respond to data breaches.

The measures laid out in the standard exist purely to help firms effectively secure payment card information. It’s in everyone’s best interests to follow them.

 

Fines and Penalties

Non-compliance charges may be levied on merchants that fail to meet the requirements of the PCI DSS.  While businesses that suffer a data breach or account data compromise may face significant penalties. Not only card brand penalties passed on to them by their processor but also penalties levied by personal data protection authorities.

Penalties against compromised entities can be significant, in the 10s of thousands of dollars or higher, depending on the size of the company and the extent of the compromise.  Payable monthly, and potentially increasing over time, until the expected standards are achieved and the appropriate PCI DSS validation documentation submitted.  These penalties can seriously threaten the future of smaller businesses.

 

Increased Costs and Liabilities

Brands or acquirers may impose restrictions to card processing, such as temporarily prohibiting online sales, or even terminating the relationship altogether.

Direct costs to the breached company include costs associated with detection, investigation and escalation, as well as post-breach recovery, remediation and compliance assessment costs.  There is also costs associated with lost business due to the disruption or downtime and lost revenue.

 

Legal and Reputational Damage

In addition to the legal implications a company found to breach PCI DSS will likely lose trust with business customers and partner organisations. Breaches show that merchants haven’t taken due care to protect data. This suggests they may put partners at risk too.

Non-compliance can severely damage business reputation and industry standing long after problems subside. There is also the risk of affected customers and partners launching legal action, adding to further costs.

 

Increased Assessment

Once a company is known to have suffered an account data compromise, post-breach PCI DSS compliance and validation activities may change. For example, the business may move from being able to self-assess compliance to mandatory level 1 formal assessments led by a PCI Qualified Security Assessor (QSA).  There are deadlines for breached companies achieving PCI DSS compliance. Card brands may also require compliance with the PCI DSS Designated Entities Supplemental Validation (DESV) requirements as part of that post-breach PCI DSS assessment.

 

How to Avoid PCI Violations and Penalties

To benefit from compliance with the PCI DSS and avoid the consequences of non-compliance, you should first familiarise yourself with the latest version of the standard, PCI DSS V4.0.1. Take steps to understand where and how payment card account data is stored, processed and transmitted.

Once you have identified the systems and networks in scope for PCI DSS you can define your scope of assessment, documenting the network and data-flow diagrams.

Even where it is not expected for your PCI DSS compliance, it is good practice to regularly scan your systems and assets for vulnerabilities and to arrange for penetration testing to uncover hidden flaws and exploitable attack vectors that could lead to unauthorised access, system compromise or expose sensitive data.

It is critical to set the tone for your commitment to data security by establishing a clear security policy that sets out your company’s information security objectives. This will include a clear chain of command, responsibility and accountability.  Ensure that not only are the people within your organisation aware of your security policy and their responsibilities for protecting your information and assets, but also your third party service providers, vendors, and business partners.  With this, it’s also imperative to regularly train and re-train staff on your security policy and procedures, on security best practices, acceptable use and their responsibilities.

Outsourcing Data Processing

In some cases, rather than pursuing compliance for your ‘as is’ assessment scope, consider options to reduce scope and outsource the capture, handling and processing of card payments to PCI DSS compliant third-party service providers. This minimises your exposure to payment card data and potentially simplifying your journey to PCI DSS compliance.

Outsourcing doesn’t remove the liability for PCI DSS, but reliance on validated PCI DSS compliant third-party service providers can reduce the risk of PCI DSS violations and data breaches.  Our guide to third-party vendors and PCI compliance dives deeper into how to effectively reduce your PCI DSS scope while ensuring the vendors you work with are working above board.

Scope reduction could also involve modifying business processes and taking advantage of new payment solutions. If cardholder data is being emailed in on order forms, change the process to remove the card details section on the form and  take payment over the phone.  Avoiding PAN storage would reduce the number of applicable PCI DSS requirements.

Above all, it’s important to seek help from professional cybersecurity experts, such as the MediShield team, who can help you analyse your scope, weigh up scope reduction option and navigate the individual measures you need to implement.

Conclusion

It is important to report a PCI DSS violation where required,  especially if you’re doing business with a potential violator who is putting your customers and reputation at risk. At the same time, it is just as vital for consumers to report a PCI DSS violation too!

Thankfully, the steps to reporting a PCI DSS violation are relatively simple. And, if you’re keen to ensure your own company follows the standard without exception, while maximising the benefits of PCI DSS compliance for your business.