What is Safe Harbor for PCI Compliance?

Safe Harbor is a term used to describe the protection of business entities from significant financial liability related to payment processing and data breaches. The law and specific Safe Harbor Protection rules are continually evolving. What’s most important for MERCHANTS to understand is that by maintaining Payment Card Industry Data Security Standards (PCI DSS), also known as PCI Compliance for short, and being able to prove it, you are protecting not only your customer data and reputation, but the financial health of your company.

What is Safe Harbor?
Safe harbor is the outcome of the PCI certification process and provides members protection from fines and compliance exposure in the event of a data compromise. To attain safe harbor status:

  • A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
  • A member, merchant, or service provider must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance. Note: It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.

Below are links to more information on the subject:
Posted on March 10, 2010 by David Navetta A Closer Look at the PCI Compliance and Encryption Requirements of Nevada’s Security of Personal Information Law

Per 2006, this is a published MasterCard statement regarding Safe Harbor: MasterCard will fully exempt acquirers from data security-related noncompliance assessments,  investigative costs, and issuer reimbursement costs if the compromised entity:

  • Is found to have been compliant with the Payment Card Industry (PCI) Data Security Standard at the time of the compromise, and
  • Was registered on MOL (in the MRP system) as compliant at the time of the compromise.

Visa defines safe harbor as the following:
“Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise.”

Visa Compliance Fines

If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may fine the responsible member. Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.

Here’s what’s on our North Carolina Government State Comptroller web site:

What is a Safe Harbor? Safe harbor is an element of Visa’s CISP that provides member banks a potential protection from Visa fines and compliance exposure in the event their merchant experiences a data compromise. MasterCard’s SDP has a similar program called SDP Program Registration. Since a merchant must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation, the safe harbor provision offers little protection.

Visa Cardholder Information Security Program (CISP)
Links to general Visa information, non-specific about Safe Harbor
PCI Security Standards – the official organization with everything you need to know to become compliant, non-specific about Safe Harbor.

3D Merchant security links

Visa’s Top Five Data Security Vulnerabilities PDF download