It’s common for companies with gaps in their PCI DSS compliance to wonder “How bad could it really be?” Knowing the possible extent of fines for non-compliance and being able to put dollar values on the risk, can help convince board members or executives to allocate the appropriate budget to your firm’s PCI compliance efforts.
To that end, this article is a guide to the possible PCI compliance fines, including case studies of real-world fines, and, most importantly, guidance on how to avoid PCI fines altogether.
(NOTE: If you’re looking for advice on your PCI compliance, our free tool below matches your firm with a top-rated PCI consultant that suits your needs and budget.)
Who Can Be Fined for PCI Non-Compliance?
Before we dive into the possible fines in detail, it’s important to understand who can be fined for PCI non-compliance.
Below we will explain the difference between fines from the PCI Security Standards Council and fines from acquirers (issuing banks).
It’s crucial to understand that whether your organization has formally attained PCI compliance in the past or not (whether you have an AOC or ROC or not) you can still receive fines and penalties from your acquirer for non-compliance with PCI-DSS.
If your organization processes, stores, or transmits credit card information, even at a low volume, you have to comply with the PCI DSS. If it is not, your payment processor can take action.
Before you panic, remember it’s unlikely you’ll receive a PCI penalty from your acquirer out of the blue. You will have been notified of your need for PCI compliance long before any fine will be issued.
If however you were notified, and ignored the notification, your company is open to penalties. Typically, your payment processor will first give you a remediation time to get compliant. Depending on the current state of your environment and how far out of compliance you are, this timeline can range from a few weeks to a few months. Your payment processor wants you to be compliant not just to fine you as they aren’t in the business of issuing fines.
The following is a more complete list of who exactly can receive fines for PCI non-compliance.
- Merchants: If a merchant is found to be non-compliant, they may be fined by their acquiring bank.
- Service Providers: Service providers that store, process, or transmit cardholder data on behalf of merchants that are found to be non-compliant with the PCI DSS may be fined by their acquiring bank.
- Payment processors: Payment processors that handle sensitive credit card information on behalf of merchants are liable to be fined by their acquiring bank for non-compliance with the standard.
- Acquiring banks: If a business experiences a breach, the card brands will first check with the acquiring bank and evaluate how well the bank is tracking their merchants PCI DSS compliance status. If they are found to have non-compliant merchants they too may face penalties. These fines and penalties will instead be issued by the card brand themselves to the acquiring bank.
Fines From Acquiring Banks
A fine from an acquiring bank for PCI non-compliance can be triggered by a variety of factors, including but not limited to:
- Failing to adhere to the PCI Data Security Standards (DSS)
- Failure to maintain compliance with the PCI DSS
- Failure to properly secure cardholder data
- Failure to properly report a security breach
- Failure to properly address vulnerabilities in a timely manner
Additionally, fines can be imposed for non-compliance with other PCI SSC standards, such as the Payment Application Data Security Standard (PA-DSS) and the PIN Transaction Security (PTS) standard.
Among these, the most common reasons for PCI fines are:
- Failure to properly secure cardholder data, such as by not encrypting sensitive information or failing to implement adequate access controls.
- Failure to regularly monitor and maintain network security. This could be failing to apply software updates or not adequately monitoring for suspicious activity.
- Failure to follow correct incident response and reporting protocol. If you don’t promptly report a security breach you can (among other problems) be fined for PCI noncompliance.
- Failure to conduct proper security awareness training that satisfies the PCI guidelines (which, note, have been updated in v4.0)
The amount of a fine for PCI DSS non-compliance can vary depending on the severity of the violation and the size of the company. For small businesses, fines can range from $5,000 to $50,000 per month for non-compliance. For larger companies, fines can reach millions of dollars.
One example of a real fine for PCI DSS non-compliance is the case of Target. In 2013, the company suffered a data breach that exposed the credit card information of 40 million customers. As a result, Target faced fines from multiple credit card companies that make up the PCI Council. With Visa, they reached an agreement to reimburse up to $67 million in costs related to the breach. To Mastercard, Target agreed to pay up to $19 million to settle costs related to the breach. On top of all that, Target had to pay $ 18.5 million in a settlement with 47 US states and the District of Colombia.
Another example is the case of Home Depot. In 2014, the company suffered a data breach that exposed the credit card information of more than 50 million customers. As a result, Home Depot was forced to pay out a minimum of $134.5 million to credit card companies and banks.
Fines from Payment Processors and Credit Card Companies
Organizations can also face penalties from payment processors and credit card companies for non-compliance with PCI DSS. These are less direct forms of punishment, but can severely impact a firm’s ability to do business.
These penalties can include:
- Increased transaction fees: Payment processors may increase the fees charged to a company for processing credit card transactions as a penalty for non-compliance with PCI DSS. This can significantly impact a company’s bottom line.
- Termination of merchant agreements: Payment processors and credit card companies may terminate a company’s merchant agreement, effectively ending their ability to process credit card transactions. This can be devastating for a business that relies on credit card sales to generate revenue.
- Legal action: Payment processors and credit card companies may take legal action against a company for non-compliance with PCI DSS. This can even include criminal charges in some cases.
If that’s not enough, there is also the indirect effects of:
- Brand damage: PCI non-compliance may lead to negative publicity and damage to a company’s reputation. This can lead to loss of customers, loss of revenue, and damage to the company’s brand.
- Cardholder lawsuits: Non-compliance with PCI DSS may lead to a data breach, which can result in cardholder lawsuits for damages.
An example of a PCI penalty issued by credit card companies is the case of TJX Companies, which suffered a data breach in 2006 that exposed the credit card information of more than 45 million customers. As a result, TJX Companies was fined $40.9 million by Visa, MasterCard, and other credit card companies.
Another example is the case of Heartland Payment Systems, which suffered a data breach in 2009 that exposed the credit card information of more than 100 million customers. Heartland Payment Systems was fined $60 million by Visa, MasterCard, and other credit card companies, but their total expenses related to the breach were in excess of $139 million.
PCI Fines & Penalties in the Case of a Data Breach
In the event of a data breach involving credit card information, organizations may be subject to additional fines based on the number of cardholder accounts that were compromised. These fines are typically assessed by the card brands (Visa, Mastercard, American Express, etc.) and can be substantial, ranging from several dollars to tens of dollars per compromised account.
The fines per cardholder compromised are also called “forensic investigation fees” which is a cost assessed by the card brands to cover the cost of the investigation of the data breach and the potential reissuance of credit cards to affected customers.
But the reality is, if your company is breached and credit card data is compromised, PCI compliance fines may be only the start of your problems.
In addition, the firm could face:
- Fines from other regulatory bodies, such as the Federal Trade Commission (FTC)
- Civil lawsuits from customers or other parties who were affected by the data breach
- Costs associated with providing credit monitoring or other forms of compensation to affected individuals
- Damage to the company’s reputation and potential loss of customers
- The company might be liable for the cost of fraudulent transactions resulting from the data breach
How to Avoid PCI Compliance Fines
To avoid fines for PCI DSS non-compliance, companies should take a proactive approach to securing their networks and systems. This might include implementing firewalls, intrusion detection and prevention systems, and regular security audits. Companies should also ensure that all employees are trained on the proper handling of credit card information and are aware of the risks associated with data breaches.
In addition, companies should conduct regular vulnerability assessments to identify and address any potential weaknesses in their networks. This includes regular scans and penetration testing to identify vulnerabilities and remediate them before they can be exploited.
Companies should also review and update their incident response plans to ensure they are prepared to respond quickly and effectively to a data breach. This includes having a team in place to manage the incident, communicating with customers and stakeholders, and reporting the incident to the appropriate authorities.
Finally, companies should work with a qualified security assessor (QSA) to ensure compliance with PCI DSS. A QSA can help companies identify and address any potential vulnerabilities and ensure that they are in compliance with the standard.
The 2022 Verizon Payment Security Report noted that “none of the organizations that experienced (a) confirmed payment card data breach were in compliance with the PCI DSS requirements at the time of the breach.” So how do you avoid PCI compliance fines and a breach? Be compliant!
Be sure that internally you have the proper governance in place for PCI and are actively applying it to your CDE. Finally, ensure that your QSA is really assessing you to the best of their abilities. Don’t perform a “check the box” assessment and ensure that you are truly compliant. Being compliant is your best defense against a breach and PCI fines.