How to Report a PCI Violation

The PCI DSS (Payment Card Industry Data Security Standard) covers data protection rules that all merchants handling payment card account data must comply with. Failure to comply with its rules not only puts customers at risk of fraud, but also leaves non-compliant firms at risk of data breaches, fines or penalties, and reputational damage.

When working with third parties and service providers, it’s also vital to report any PCI DSS violations you notice. Any company you work with that’s failing to take its own data security responsibilities seriously is putting you and your customers at risk, too. You have a duty of care to your buyers to ensure the suppliers and partners you work with follow their PCI DSS obligations to the letter – as, hopefully, do you.

In this guide, we will explore some common PCI DSS violations, how to report them, the consequences of non-compliance, and how you can avoid fines, penalties, and any knock-on damage from failing to comply.

Common PCI DSS Violations to Watch For

Some of the most common PCI DSS compliance violations include storing unprotected cardholder data, failing to encrypt data in transit, running poor security testing and monitoring standards, using unprotected devices, failing to secure data physically, and running outdated systems and software.

Here’s a deeper dive into these common flags.

Storing Unprotected Primary Account Numbers (PAN)

No merchants should ever store cardholder data unless it’s absolutely necessary to do so.  But be aware that, even if you don’t store cardholder data PCI DSS still applies.

However, in the event that a company has to store this information electronically, PAN should be carefully encrypted, hashed, or truncated so that it cannot be used if stolen or intercepted. Are there robust mechanisms in place to ensure that not only is all stored cardholder data properly rendered unreadable but also that it is securely deleted when it is no longer needed?

Evidence of cleartext PAN is a clear sign that a company has violated one of the most important measures of PCI DSS. Without any measures to render stored cardholder data unreadable, cardholder information is easy for cybercriminals to fraudulently misuse or to sell on the black market.

Failing to Encrypt Data in Transit

Cardholder data must be not only be secured at rest (e.g. encrypted) but also on the move across open, public networks. Failing to implement strong cryptography and security protocols to encrypt PAN while being transmitted (e.g., through an online store), puts it at risk of being intercepted and used by on-path attackers, who can eavesdrop on communications.

One of the most effective ways to spot a company that fails to encrypt data in transit is to look at their website’s protocol at the start of their URL. If they use “HTTP” rather than “HTTPS”, they are running an insecure, unencrypted website through which data can be stolen. In most cases, modern internet browsers warn you if you are accessing insecure websites, with many even preventing you from browsing any further.

Companies also need to make sure encryption is turned on for all wireless networks.  There are different forms of wireless encryption, so make sure to avoid using deprecated or weak security protocols with known flaws and instead rely on the Wi-Fi Protected Access II (WPA2) version (or even WPA3 if your wireless routers and devices support it).  

Running Poor Security Testing and Monitoring Standards

PCI DSS, and frameworks such as NIST and ISO 27001, help firms to set up security protocols that ensure any payment card account data handled is protected at every step of payment processing.

A company failing to follow these standards keeps poor quality logs (if at all), responds slowly to security alerts and breaches (if they are even monitoring alerts and security events, or able to detect breaches, at all), offers little support and reassurance in the event of a breach, and has no regular testing calendar set up across the year (to detect vulnerabilities and weaknesses, to practice incident response procedures). The worst offenders may not even have security awareness training for their teams (never regularly updating their security awareness program to address new security threats), and may not have incident response plans to refer to.

Using Unprotected Devices

Devices such as wireless routers are prime targets for hackers and cybercriminals, largely because they are easy to overlook when it comes to basic security, and are frequently “advertised” to the public. In the worst cases, people outside a company’s building could still access an unsecured corporate network.

A wireless router that you can access without a security key (e.g., through WPS) is a glaring example – and the same applies to Bluetooth devices – discoverable, unsecured devices are red flags (and exploitable weak points).  Some PCI DSS offenders may leave their hardware insecure by continuing to use default admin and password settings and failing to update firmware when needed. Firmware updates are crucial for addressing device weaknesses and bugs, patching hardware against these vulnerabilities, and ensuring devices work in line with the latest and strongest security protocols.

Failing to Secure Data Physically

It’s a common misconception that once data is secured digitally, it is completely safe – but what about physical security?

Companies breaching PCI DSS might have inadequate on-site locking and access control systems to safeguard the data they handle. They may have on-site servers that are easy to access without ID checks, and their personnel may even leave their devices unlocked, or take sensitive data out of the office without reproach.

It’s vital that firms both physically and digitally secure systems in their cardholder data environment as well as the cardholder data (if they must store it), ensuring neither systems nor data can be accessed by unauthorized persons, and that personnel are regularly trained on security best practices.

Running Outdated Systems and Software

Outdated systems and software are at high risk from cybercriminals who exploit flaws that can’t be patched up (or have simply been ignored). From running obsolete software and operating systems to avoiding installing firmware on networked devices, this negligence can leave common, known vulnerabilities open for cybercriminals’ automated tools and techniques to find and exploit.  The technical barrier to entry for cybercriminals is surprisingly low.  Many attackers rely on readily available tools and scripts and even those with limited technical ability can now make use of AI-driven cyberattacks.

Steps to Report a PCI Violation

You should initially attempt to address your concerns with the potential offender – and in the event of no support or communication from them, you may be able to report the compliance violation to their card payment processor or acquiring bank, if known, or direct to the card brands, such as Visa or Mastercard.

Here’s a quick breakdown of what to do.

1. Take note of the potential compliance violations and any evidence you have to suggest the company might be at fault.
2. Approach the compny you believe has violated PCI DSS and share evidence where appropriate. Give the firm an opportunity to respond and to redress the issue themselves – this is a chance for the potential offender to avoid penalties and any further damage.
3. If you receive no further contact from the company, or they are uncooperative, you can proceed to reporting them to their card processor. You may be able to identify their processor at the point of sale, perhaps the processor’s name is displayed on screen on the POS terminal.  Or during online payments checkout, if your browser is redirected to the processor’s hosted payment page.  
4. As well, or instead if the processor is unknown, inform the brands of the payment cards handled.  For example, they might handle Visa, Mastercard, or American Express. If you are reporting as a consumer, report your concerns to your card issuer.
5. Contact the processor and/or card brand online (e.g., using the appropriate Visa regional contact details) and supply as much detail as possible. If you believe your own data, as a consumer, may have been compromised, you should also contact your bank or issuer to cancel your current card and request a new card to be dispatched.
6. The payment processor / card brand will then conduct an investigation privately.

Potential Consequences of PCI Non-Compliance

Failing to comply with PCI DSS can lead to merchants facing fines and penalties levied by card brands, increased transaction fees, legal and reputational damage, risk of payment processing restrictions, increased auditing, and increased risk of cyberattacks.

Let’s break each of these consequences down.

Increased Risk of Cyberattacks

Failing to adhere to the PCI DSS puts companies at greater risk from cyberattacks.  Attackers exploit weaknesses in cardholder data environments to gain unauthorized access to payment card account data.  The policies, procedures and security measures expected by the PCI DSS serve to protect account data and the CDE, helping businesses prevent, detect and respond to data breaches.

The measures laid o in the standard exist purely to help firms effectively secure payment card information – it’s in everyone’s best interests to follow them.

Fines and Penalties

Non-compliance charges may be levied on merchants tht fail to meet the requirements of the PCI DSS, or their PCI DSS compliance reporting requirements, by their payment processor or acquiring bank.  While businesses that suffer a data breach or account data compromise may face significant penalties: not only card brand penalties passed on to them by their processor or acquiring bank but also penalties levied by personal data protection authorities.

Penalties against compromised entities can be significant, in the 10s of thousands of dollars or higher, depending on the size of the company and the extent of the compromise.  Payable monthly, and potentially increasing over time, until the expected standards are achieved and the appropriate PCI DSS validation documentation submitted.  These penalties can seriously threaten the future of smaller businesses.

Increased Costs and Liabilities

Brands or acquirers may impose restrictions to card processing, such as temporarily prohibiting online sales, or even terminating the relationship altogether.

Direct costs to the breached company include costs associated with detection, investigation and escalation, as well as post-breach recovery, remediation and compliance assessment costs.  And then there’s the costs associated with lost business due to the disruption or downtime, lost revenue and lost opportunity costs.

Legal and Reputational Damage

In addition to the legal implications and potential penalties resulting from a personal data protection breach, a company found to breach PCI DSS will likely lose trust with business customers and partner organizations. Breaches show that merchants haven’t taken due care to protect data, therefore suggesting they may put partners at risk, too.

Non-compliance can severely damage business reputation and industry standing long after problems subside. There is also the risk of affected customers and partners launching legal action, adding to further costs.

Increased Assessment

Once a company is known to have suffered an account data compromise, post-breach PCI DSS compliance and validation activities may change. For example, the business may move from being able to self-assess compliance to mandatory level 1 formal assessments led by a PCI Qualified Security Assessor (QSA).  Not only that but there are deadlines for breached companies achieving PCI DSS compliance and, further, card brands may require compliance with the PCI DSS Designated Entities Supplemental Validation (DESV) requirements as part of that post-breach PCI DSS assessment.

How to Avoid PCI Violations and Penalties

To benefit from compliance with the PCI DSS and avoid the consequences of non-compliance, you should first familiarize yourself with the latest version of the standard, PCI DSS V4.0.1, and take steps to understand where and how payment card account data is stored, processed and transmitted by you, your vendors and third party service providers, and business partners.

Once you have identified the systems and networks in scope for PCI DSS, and all of the people, processes and locations involved, you can define your scope of assessment, documenting that scope with network and data-flow diagrams.  

With that understanding of the physical locations, the people/teams (including third parties), the systems and the networks to which the PCI DSS applies, you can commence securing your in-scope environments, systems and networking through the implementation, or update, of security measures to meet the applicable PCI DSS requirements.

Even where it is not expected for your PCI DSS compliance (e.g. on the basis of your PCI DSS Self-Assessment Questionnaire (SAQ) eligibility), it is good practice to regularly scan your systems and assets for vulnerabilities and to arrange for penetration testing to uncover hidden flaws and exploitable attack vectors that could lead to unauthorized access, system compromise or expose sensitive data.

It is critical to set the tone for your commitment to data security by establishing a clear security policy that sets out your company’s information security objectives, and a clear chain of command, responsibility and accountability.  Ensure that not only are the people within your organization aware of your security policy and their responsibilities for protecting your information and assets, but also your third party service providers, vendors, and business partners.  With this, it’s also imperative to regularly train and re-train staff on your security policy and procedures, on security best practices, acceptable use and their responsibilities, as well as on the latest threat trends – such as those related to social engineering:

“Attackers use psychological manipulation to maneuver individuals into revealing their private information or performing malicious actions that can compromise their security. The success rate of this attack depends on human errors, such as failing to check the authenticity of URLs, using weak login credentials, and not employing robust security protocols.”

Rathod, T. et al. (Information Processing & Management)

In some cases, rather than pursuing compliance for your ‘as is’ assessment scope, it may be worthwhile considering your options to reduce scope and/or outsource the capture, handling and processing of card payments to PCI DSS compliant third-party service providers, minimizing your exposure to payment card data and potentially simplifying your journey to PCI DSS compliance.

Outsourcing doesn’t remove the liability for PCI DSS, but reliance on validated PCI DSS compliant third-party service providers can reduce the risk of PCI DSS violations and data breaches.  Our guide to third-party vendors and PCI compliance dives deeper into how to effectively reduce your PCI DSS scope while ensuring the vendors you work with are working above board.

Scope reduction could also involve modifying business processes and taking advantage of new payment solutions.  For example, if cardholder data is being emailed in on order forms, change the process to remove the card details section on the form and instead call the customer back to take their payment over the phone.  Avoiding PAN storage would reduce the number of applicable PCI DSS requirements but your people, telephony and systems, used to accept and process those telephone payments, would still be subject to the PCI DSS.  

Further scope reduction could be achieved by using digital solutions such as Pay By Link, with which you generate a unique URL for each order, sending it to the customer via email, text or social media allowing them to pay securely online.  Or outsourced DTMF telephone payment solutions capable of taking your telephony system, your agents and their workstations, your data network and telephony network etc. out of scope for PCI DSS, as all capture and processing of cardholder data is outsourced to compliant third-party service providers.

Above all, it’s important to seek help from professional cybersecurity experts – such as the VikingCloud team – who can help you analyze your scope, weigh up scope reduction option, navigate the individual measures you need to implement, and the pain points you need to prioritize.

Conclusion

If you become aware of a PCI DSS violation, it’s vital to report it – especially if you’re doing business with a potential violator who could put your customers and reputation at risk. At the same time, it is just as vital for consumers to report PCI DSS flags, too – so that they may protect their own data and that of other customers.

Thankfully, the steps to reporting a PCI DSS breach are relatively simple. And, if you’re keen to ensure your own company follows the standard without exception, while maximizing the benefits of PCI DSS compliance for your business, consider working with the VikingCloud team. Masking PAN and safeguarding other sensitive information isn’t as simple as it might seem – and it’s always worthwhile having an expert on your side to make sure you don’t do too little, or too much.

We’ll help to ensure your systems and networks protect any cardholder data you process within PCI SSC’s expectations – and that you’re always fortified against the worst cyber threats. Contact VikingCloud now to learn more.