“How Do I Report a PCI Violation?”

November 2, 2016 • Published Categories Industry TopicsTags
PCI Violation

Consumers raise red flags about non-compliant businesses.

While most of the PCI compliance questions we receive are from businesses working to understand and implement the standard, there is one question we are asked time and again by consumers. That question is, “How do I report a PCI violation?”

Are they really “violating” the PCI DSS?

Before you report a business in connection with the Payment Card Industry Data Security Standard (PCI DSS), you should first know a bit about what the standard is as well as what it does and does not cover.

The word “violation” implies that the PCI DSS is a law. In reality, the PCI DSS is not a law but rather a set of standards agreed upon and enforced by the major card brands (Visa, MasterCard, American Express, Discover and JCB) in conjunction with merchant banks and payment processors.

Also, the PCI DSS involves the security of credit/debit card data as it is being accepted, transmitted or stored by the merchant. It is focused on achieving and maintaining that security… no more, no less.

Here are some common scenarios covered by the PCI DSS:

  • Credit card information (including the cardholder’s name and account number) is left in public and/or non-authorized view, such as on an employee’s desk or computer screen
  • Paper forms containing full credit card information are stored in unlocked cabinets
  • Usernames and passwords to electronic accounts holding payment data are not sufficiently protected
  • The business’s electronic point-of-sale system is connected to (and therefore communicating with) other systems or devices

And here are some instances where the business’s actions have nothing to do with the PCI DSS:

Follow these steps to report a non-PCI-compliant merchant.

Here are the steps you can take if you believe a business is not adhering to the PCI DSS:

  1. First, reach out to the organization that you feel is out of compliance, so that they will hopefully resolve the issue themselves. You can even share this website with them, should they be completely unaware of the PCI DSS and its applicability to their business.
  2. If you fail to get a resolution and you know which credit card processor the organization uses, you can report the violation directly to them. You can also go directly to Visa or MasterCard to report the problematic business:
  3. If you believe your payment card data could have been or may become compromised, contact your issuing bank (the bank name and phone number on the card) right away to alert them and request a new card.

Businesses that are found to be out of compliance with the PCI DSS may be subject to fines by the entity they use to process their credit card transactions. Furthermore, non-compliant businesses that experience a data breach in which credit card data is actually stolen are subject to much larger fines and fees from the banks, card brands, etc.

Check out our Frequently Asked Questions page to see more of the PCI compliance questions we frequently receive.