[brohee]

"Fines will be levied in all cases where merchants are the subject of a security breach and upon investigation are found to be non-compliant. The average fines levied for a small merchant total around £15,000 which is payable on top of any forensic investigation and remediation costs."

This is mitigated quite a bit by the extreme difficulty to report PCI-DSS violation before they lead to outright fraud.

[JimmaDaRustla]

I believe there is a PCI requirement that a company's system must be evaluated once every three months by a PCI approved vendor to ensure that data is being kept secure.

To me, it seems kind of contradictory because if a company is being approved by said vendors, then how could they be found non-compliant in a breach? Maybe the quarterly vendor assessment isn't mandatory. digs through documents

EDIT: This quarterly scan by an ASV and only evaluates the network in regards to external IP addresses, so it does not check anything regarding how the data is stored/transferred.

[lotsofcows]

My PCIDSS provider runs nessus once a quarter. It's found a few bugs but it's not an evaluation of anything other than my web facing server.

[brohee]

Nor a properly documented procedure seems to exist for random people (me) to report blatant PCI-DSS violation they stumbled upon.

PCI-DSS is barely better than security theater, with so litte effort spent on finding violations...