As an IT asset manager, one of your priorities when managing your IT Asset Disposition process is adhering to strict industry standards. Near the top of that list of standards is the Payment Card Industry Data Security Standard (PCI DSS). PCI refers to requirements administered and monitored by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
What does payment card information have to do with your IT assets? Whether your organization has stored credit card information in the cloud or exclusively on a hard drive, credit card information could linger on your equipment if improperly sanitized or disposed of and the liability of the breach could fall on you. PCI standards are designed to ensure that companies maintain a secure environment for credit card information, no matter where the information is stored or how large or small your organization is! If your organization accepts, transmits, or stores any cardholder data or handles equipment from merchants who have Merchant ID (MID), PCI applies to you.
Some of the requirements outlined by the PCI DSS specifically relate to managing your physical equipment. Entities that process payment card data must have data retention and disposal policies in place. Physical access to cardholder data must be restricted with security measures such as video monitoring, locked doors, and restricted accessibility to computer networks. The destruction of digital media is also addressed when it is no longer necessary.
The penalties associated with PCI breaches aren’t usually openly discussed or widely publicized, but the consequences for a small business can be catastrophic. Here are a few scenarios to be aware of if you have used your IT equipment to process credit card information:
Payment card brands who do not charge
Visa and MasterCard do not charge businesses or processors a fee for PCI non-compliance, but the brand of the card may choose to assign compliance fines if non-compliance leads to a security issue or breach. The fines issued by the card brand are often large, one-time fees imposed after a security-related event occurs.
Monthly compliance fees
If you have an ongoing non-compliance scenario, PCI may require you to pay non-compliance fees, which are small monthly or annual fees imposed directly by processors. PCI non-compliance fees range from $10 to $30 a month up to $100 a month. Visa and MasterCard do not charge non-compliance fees, so revenue from these fees goes right into the pockets of the processors (CardFellow).
Large fines and legal problems
Serious penalties for PCI noncompliance often involve huge fines. The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for these kinds of compliance violations. This fee most likely gets passed downstream till it hits the merchant, whereupon the bank will also most likely either terminate your relationship or increase transaction fees.
For those seeking more information, your merchant account agreement should outline your exposure requirements (What Small Merchants Don’t Know (PDF)).
At MPC, we specialize in the sanitization and destruction of digital media. When a business needs to sanitize or destroy its digital media containing data that is protected under the PCI DSS, MPC has two separate procedures that are certified under NAID, and conform to the industry standards of NIST 800-88 and DOD 5220.22-M for confidential information destruction. For more information on PCI requirements, visit the PCI Compliance Guide website here.