Consumers raise red flags about non-compliant businesses.
While most of the PCI compliance questions we receive are from businesses working to understand and implement the standard, there is one question we are asked time and again by consumers. That question is, “How do I report a PCI violation?”
Are they really “violating” the PCI DSS?
Before you report a business in connection with the Payment Card Industry Data Security Standard (PCI DSS), you should first know a bit about what the standard is as well as what it does and does not cover.
The word “violation” implies that the PCI DSS is a law. In reality, the PCI DSS is not a law but rather a set of standards agreed upon and enforced by the major card brands (Visa, MasterCard, American Express, Discover and JCB) in conjunction with merchant banks and payment processors.
Also, the PCI DSS involves the security of credit/debit card data as it is being accepted, transmitted or stored by the merchant. It is focused on achieving and maintaining that security… no more, no less.
Here are some common scenarios covered by the PCI DSS:
- Credit card information (including the cardholder’s name and account number) is left in public and/or non-authorized view, such as on an employee’s desk or computer screen
- Paper forms containing full credit card information are stored in unlocked cabinets
- Usernames and passwords to electronic accounts holding payment data are not sufficiently protected
- The business’s electronic point-of-sale system is connected to (and therefore communicating with) other systems or devices
And here are some instances where the business’s actions have nothing to do with the PCI DSS:
- You didn’t authorize the business to charge your credit card, but they did so anyway
- You haven’t received a refund on a disputed credit card charge
- You were asked for (or the business made) a photocopy of your driver’s license and/or credit card
- You were asked to write your credit card information on a paper form
- Your full credit card number was printed on a sales receipt
Follow these steps to report a non-PCI-compliant merchant.
Here are the steps you can take if you believe a business is not adhering to the PCI DSS:
- First, reach out to the organization that you feel is out of compliance, so that they will hopefully resolve the issue themselves. You can even share this website with them, should they be completely unaware of the PCI DSS and its applicability to their business.
- If you fail to get a resolution and you know which credit card processor the organization uses, you can report the violation directly to them. You can also go directly to Visa or MasterCard to report the problematic business:
- If you believe your payment card data could have been or may become compromised, contact your issuing bank (the bank name and phone number on the card) right away to alert them and request a new card.
Businesses that are found to be out of compliance with the PCI DSS may be subject to fines by the entity they use to process their credit card transactions. Furthermore, non-compliant businesses that experience a data breach in which credit card data is actually stolen are subject to much larger fines and fees from the banks, card brands, etc.
Check out our Frequently Asked Questions page to see more of the PCI compliance questions we frequently receive.