Can anyone help me clarify whether we are requied to be PCI compliant? We do not issue or accept credit cards. We do issue debit cards.

PCI compliance deals mostly on the bankcard acquiring side. You would have to have a PCI compliance program if you offered Merchant Bankcard to ensure your merchants were storing cardholder data securely and that their equipment and software programs meet the PCI security requirements. Also, there are PCI requirements that impact ATMs if you own any. If you do, your ATM vendor can get you more information. You must also be compliant if you process cash advancements.

That being said, you must also meet the PCI standards for storing your cardholder data. Bankcard processors must go through an annual PCI security audit and be validated. The following is a link to the website: http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf

The list gets updated periodically. We go on and verify that both out cardholder processors and merchants processors are current on their validation.

Our bank is not a card issuer however we do collect credit card information and it is within our loan origination system. Are required to be PCI compliant?

Yes, most financial institutions are required to comply - the following quote came from the Visa Cardholder Information Security Program website, under PCI DSS Compliance:

"PCI DSS compliance is required of all entities that store, process, or transmit Visa cardholder data, including financial institutions, merchants and service providers. The PCI DSS applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce."

See Visa CISP Overview

See also PCI Security Standards Council

However, since banks are highly regulated and regularly/formally examined/audited, they are not usually on the radar by Visa.

Hope this helps some.

Visa rules, Councils and Edicts are all well and good. But how does Visa enforce PCI compliance? Once again in the Chicago area, a well known merchant has had their card information compromised and consumers(banks actually) have lost money.

Who can forget the TJ Maxx fiasco where their wireless system was hacked into by people in the parking lot. Their PCI compliance was so bad hackers were leaving informing on their database as to what card numbers had already been used. Where was their PCI compliance?

I actually tipped off VISA fraud about a major card compromise in Southern Indiana where over $100,000 was lost by a credit union and a bank. This was a small merchant with obvioulsy no PCI compliance. I talked to the store owner before they knew what was going on and he said their customer's information was always well protected. Who examined them for PCI compliance-nobody. Except perhaps the FBI after the harm was done.

Ok rant over, I feel better now.

The merchant processors are responsible for auditing compliance, although in some cases this is limited to a self-assessment. When a data breach such as this is reported, VISA/MC will look at the forensic evidence and based on the number of card numbers open to compromise levy the appropriate fine against the merchant. (Specifics can be found in each card brands' operating rules.) Based on fraud reports that VISA receives through FRS and MasterCard through SAFE, they set what reimbursement, if any, is available to the merchant.

Until the Heartland Payment Systems breach, issuers where responsible for filing compliance cases for EVERY transaction that occured as a result of the breach. (This was a full time job for me for a week after the fallout of that one.) Obviously they don't want the paperwork nightmare either which is why they've switched to setting a flat reimbursement amount.

It's my understanding that anyone who accepts payment cards as a form of payment -- which means credit cards, gift cards or debit cards -- have to be PCI Compliant. I just watched a webinar on this. I think you can still watch the recorded version: http://www.aocompliance.com/Resources-Articles/webinars.html