PCI DSS compliance is a complicated issue that any organization that manages cardholder data should be well-versed in. If you are breaking regulations, you may face significant PCI compliance penalties that can significantly impact your company’s overall financial health and well-being.
Let’s say your business is experiencing a data breach. First, the card brands will go to your acquiring bank, the bank that processes credit card transactions for you, and evaluate how well the bank is tracking your PCI compliance.
They may find the bank if you were not compliant at the time of the breach, and there will always be fines for the violation after assessing the bank’s level of supervision and compliance. After all, the bank will likely pass the PCI compliance fines and penalties to you.
You’ll hear about PCI compliance fines, which can vary from $ 5,000 to $ 100,000 a month (roughly 4,000 to 80,000 in GBP) depending on the size of the company and the duration and scope of your non-compliance.
Also, the bank may impose other penalties, such as increasing transaction fees or even terminating the relationship altogether. Besides, additional fines, which increase over time, maybe imposed for repetitive violations.
This fine can be manageable for a large bank but can easily drive a small business into bankruptcy. This penalty can be assessed monthly and increasingly over time until you become eligible. If you still don’t follow the rules, your ability to get a credit card may eventually be canceled.
- Significant fines and penalties: If you are found to be incompetent, you will be subject to substantial non-compliance fines, regardless of the size of your company.
- Legal costs, settlements, and judgments: If your client’s data has been compromised, he or she can sue, which can be extremely expensive. If you don’t meet the PCI guidelines, credit card companies can take legal action against you, which may be more expensive.
- Brand reputation: A data breach can significantly jeopardize your company’s reputation and customer loyalty due to credit card information insecurity. Customers are less likely to trust your brand after a data breach, particularly if there is negative publicity surrounding it.
- Unemployment: If you are found to be subject to a breach that would make PCI DSS compliance preventable, reputational damage could result in a sudden drop in sales. With incredibly high fines, penalties, and potential legal costs, compensating for the lack of sales can be difficult.
What Counts as a PCI DSS Violation?
It’s easier than you think to break the PCI DSS, particularly if you don’t have any systems that can handle sensitive data. While these breaches are often unintentional, they can put PCI and PII information at risk.
Some common PCI breach scenarios include:
Clear credit card information or other cardholder data that is in public places such as a desk or computer screen,
- Keeping credit card information on paper in unlocked or unsecured cabinets,
- Your point of sale systems linked to other systems that do not have adequate PCI protection,
- Insufficiently protected customer and employee usernames and passwords
As you can see, an accidental process or a lack of understanding of data protection can easily result in a PCI breach. This is one of the reasons you have a robust compliance team when building your systems and processes.
Fines from Your Payment Processors and Credit Card Companies
Merchants agree to pay fees if they fail to comply with the PCI DSS when they sign a contract with a payment processor. Penalties can vary from payment processor to payment processor and are more extensive for companies with higher payment volumes.
There will be no fines imposed on your payment processors or credit card companies for working with an unsuitable business. These companies will almost certainly transfer fines to your business to compensate for losses from your negligence.
You can expect financial penalties from these companies anywhere from $ 5,000 to $ 10,000 per month for violating PCI compliance guidelines.
For example, fines are evaluated each month based on your non-compliance status, and the monthly fee increases. Therefore, a company can pay a penalty of $ 10,000 per month for non-compliance for three months. Additionally, fines ranging from $ 50 to $ 90 can be imposed on each customer affected in some way by a data breach.
Again, keep in mind that these are not “fines,” i.e., the same as what you would pay to violate specific government regulations or laws.
Usually, card brands fine payment processors, which penalize merchants. The whole procedure is not always based on the same evidence principles that would be expected in a criminal court.
However, as compared to credit monitoring fees, litigation, and actions by state and federal governments that can arise if you are not genuine PCI DSS compliant, these penalties levied by the PCI are minimal.
Although penalties vary from payment processor to processor, there are some similarities, and we can characterize them as typical financial penalties. While your payment processor’s penalties differ slightly from those mentioned here, they are standard penalties you may expect if you haven’t read your vendor agreements or if you haven’t followed PCI guidelines. The penalties will give you a basic idea of what to expect if you do not comply with the PCI standards.
Payment processors often conduct bank forensics investigations to determine their penalties for PCI non-compliance. Some penalties will be standard, and others will depend on your compliance history and grade or non-compliance at the time of the breach.
Some payment processors and banks will impose fines for your non-compliance in addition to what they receive. These are the penalties they impose on you for not being responsible for your PCI compliance duties.
Depending on how long you have been in the mismatch and how much business your company has done with the payment processor, the non-compliance penalties for most payment processors and banks can look like this:
- One to Three Months in Non-Compliance: $ 10,000 per month for high-volume customers / $ 5,000 per month for low-volume customers
- Four to Six Months in Non-Compliance: $ 50,000 / month for high-volume customers / $ 25,000 / month for low-volume customers
- Seven Months and More in Non-Compliance: $ 100,000 per month for high-volume customers / $ 50,000 per month for low-volume customers
What Are the Penalties for Data Breaches in Case of PCI Compliance?
Even if your company is PCI compliant, it is not 100 percent protected against data breaches. This is a risk that any company doing business and financial transactions online takes. Hackers are getting more sophisticated. Even if your PCI compliance is flawless, you can still be the victim of a data breach.
Even if you defend your business from it, this will not only bring negative publicity to your company, but it will also bring more fines. This should give you a high incentive to make sure the company is as protected as possible.
You should expect fines from your payment processors and banks if your company has a data breach in which cardholder data is compromised, such as:
- Fines of $ 50 to $ 90 per cardholder whose data was compromised
- Your business arrangement with your payment processors and banks will be terminated.
- Bad publicity for your company
- Lawsuits of customers whose data was compromised
- Loss of trust from customers who may not want to do business with you again, as they may not be sure that their card data is secure when they buy something from you.
Upon finding a non-compliance in any area of PCI-DSS, the consequences for an organization are grim. Fines will vary from $ 500,000 to $ 500,000 depending on the circumstances of the infringement and the size of the organization.
In many cases, payment card brands will also try to compensate for operational expenses incurred in connection with the incident, such as card reissue costs from the merchant bank and fraudulent recoveries if the number of affected cards exceeds the card brand’s minimum threshold.
The commercial bank will transfer these costs to the institution responsible for the violation. The sum of operational expense and fraudulent recoveries typically corresponds to a total assessment of $ 3 to $ 5 per affected card, although higher amounts are expected.
The organization’s merchant bank usually collects these assessments, penalties, and penalties by directly retaining a portion of the payment due to the organization until it is fully repaid from its routine payment accounts. While an appeal is possible, it incurs additional costs and is rarely successful.
For a small organization, these costs can be fatal to their financial health. And of course, failing to pay those amounts or failing to address enforceable PCI-DSS shortcomings could potentially lead to, worst of all, such as the organization’s inability to process credit and debit card payments.
What Are the Penalties Given by Payment Brands for Violations?
The details below are mainly for informational purposes and may vary. The main thing is your agreements and contracts with your bank and payment brands. For this reason, you can get the most accurate and up-to-date information about violation penalties by directly contacting your payment brand. Also, keep in mind that the applicable penalties may vary by payment brand and region.
In 2016, Visa and MasterCard increased Account Data Settlement (ADC) Penalties on Sellers. Visa Europe ADC penalties are as follows:
- Merchants will be charged € 3,000 for each ADC regardless of PCI DSS Merchant Levels.
- Suppose the merchant (PCI Forensic Investigators) qualifies for the PFI Lite investigation. In that case, the merchant will only have to pay the case fee of € 3,000, provided that the PFI Lite investigation process is followed.
If the merchant needs to go through a full PFI investigation, typical ADC penalties will be as follows:
- € 3.000 case fee,
- € 3 per card deemed risky,
- Additional € 18 per card deemed risky if CVV2 is also compromised.
If the Visa fine is € 100,000 or more, the penalty structure changes to 5% of the assets’ Visa Card turnover within 12 months before the infringement begins.
MasterCard provides two types of penalties, known as Operational Expense Reimbursement (OR) and Fraud Compensation (FR). OR fines can be anything up to $ 10,000, while FR is available for card issuers that prefer the MasterCard ADC refund program.
MasterCard reviews OR and FR based on which cards are affected and at risk. As such, this makes it difficult to provide details of specific MasterCard penalties. The average fine is $ 5.50 per unique card lost during the exposure window.
ADC penalties will be taken by each card brand affected by the settlement, which will increase the value of the penalties. Also, Visa Europe’s € 3,000 case fee can be applied to buyers of all compromised merchants.
Self-notifications of an ADC will also benefit from a reduced penalty. Besides, businesses included in the Verified by Visa (VbV) program will see a reduction of up to 50% in the card deemed risky of any VbV transaction.
For example, if 14% of cards considered at risk are verified VbV transactions, there will be a 14% discount. Anything above 50 percent will be limited to a 50% discount.
What Are Other PCI DSS Non-Compliance Penalties?
Fines aren’t the only type of PCI compliance penalties. There are many consequences for breach of regulations, including suspension of your ability to accept credit cards, liability for fraudulent charges, credit card replacement costs, and mandatory forensic examination.
Penalties can reduce your finances and make it increasingly challenging to run your business effectively so that a PCI compliance breach can be catastrophic for a company without significant cash reserves.
In addition to the penalties imposed on your company, you will likely lose your relationship with your bank, the credit card companies you accept payments, and other payment processors you use. They will not want to work with a client that is not PCI compliant.
If they keep you going as a customer, they will likely increase your transaction fees, which will require you to raise your prices to pay those fees. This could result in losing your customers who want to shop from a seller with similar products and services and want to shop at lower prices than you can currently afford.
While such penalties may not have much of an impact on a large company that can easily absorb and redistribute losses, these things can be disastrous for small businesses and potentially cause them to become unemployed.
Although penalties are not explicitly discussed, they can have serious, long-term effects on small and medium-sized businesses. However, it’s important to remember that when it comes to PCI DSS non-compliance penalties, payment providers’ fines are not the only type of penalties you should be concerned about. It would be best to consider the potential impact of laws and regulations such as the GDPR.
The GDPR, for example, has stringent reporting provisions for data breaches that may result in severe penalties. The most severe violations could be fined up to € 20 million or 4% of worldwide annual income, whichever is greater. Since large fines have already been imposed on companies like British Air (£ 183.39 million), it is a good idea to take the threat of GDPR fines seriously.
As a different example, Target said the total cost of their major breach of credit card data exceeded $ 200 million, including $ 18.5 million in a legal settlement with 47 state attorneys.
You should be aware that card brands may impose a separate penalty for a data breach even if you comply with PCI rules when the breach occurs. Card brands do not post amounts of these penalties, but for businesses that fail to comply with PCI rules when they encounter a breach, they will undoubtedly be higher.
- PCI DSS Penalties for Non-Compliance: If your organization is found to be non-PCI compliant, fines will vary from $5,000 to $100,000 per month, depending on the size of the corporation and the seriousness of the non-compliance. Note that bank penalties may also be transferred to your business due to high transaction fees or service charges.
- Cost of reissuing payment cards: A replacement card will be sent to each customer for each compromised card. Fees can be $ 3-5 or more per card. When a breach occurs in a small company, thousands of cards are potentially compromised. However, larger businesses can affect millions.
- Legal costs: As noted above, a customer or credit card company may decide to sue you if it is found that you are not complying with PCI standards. The costs of lawsuits may increase.
- Investigations and Audits: To determine the cause of the data breach and prevent it from occurring again, forensic investigations or audits would be needed. These can be too costly for your business.
- Fraud Prevention Technologies: To prevent a breach from happening again, card brands may insist that you invest in programs and technologies that can also be costly.
What Should You Do When You Encounter a Data Breach?
When you experience a data breach, the consequences go beyond PCI. All 50 states have infringement reporting laws regarding personal information, so if anyone’s name and address are compromised, you probably have a reporting obligation, even if their credit card numbers have not been accessed.
Take responsibility after a breach and minimize the impact as much as possible. Deal with the problem and try to make sure it doesn’t happen again. Make sure that people whose data is compromised are protected.
You find yourself on the other end of a PCI DSS violation report because it is so simple for someone to report you. Steps that can be taken to report a violation include:
- Contact the merchant or service provider. You may be able to remedy the problem yourself, depending on the magnitude of the PCI breach. For example, if the person reporting the issue becomes publicly aware of their credit card information, you may need to provide more training to employees on data protection. Make sure you follow the person reporting it to let them know what steps you have taken to correct the situation.
- Report PCI incompatibility to the merchant’s credit card processor. Also, inform the credit card companies (Visa, MasterCard, etc.).
- If the reporter feels their payment card information is compromised, they will likely contact their bank and ask them to cancel their card.
If you are a compromised vendor or service provider, you must immediately protect your systems. Besides notifying American Express, Discover, MasterCard, and Visa of a security breach within 24 hours, you will need to lock your systems.
Here are some steps you can take to minimize exposure:
- Tell your bank that your security has been compromised.
- Lockdown the threatened system. No one should be able to access or modify the systems.
- Unplug your network cables and keep your systems powered on.
- Back up your systems.
- Log everything you do and maintain these logs.
- Stop processes unless instructed otherwise by an experienced data security consultant.
- Take a snapshot of your systems for forensic analysis.
After determining the data breach, you need to follow the steps below and manage the process by communicating with your bank or payment brands:
- Notify payment brands of infringements.
- Conduct an initial investigation and submit an incident report to payment brands.
- Provide payment account data disclosed to payment brands.
- Manage the PCI forensic investigation / stand-alone investigation as needed.
- Follow all requirements for suspected or confirmed incidents of the security breach.
How to Avoid PCI Fines and Penalties?
The easiest way to prevent PCI compliance violations is to make sure the company meets the PCI DSS checklist to the full. It should be noted that the cost and time associated with recovering from a data breach are far greater than the cost of becoming PCI DSS compliant and maintaining compliance.
The PCI DSS compliance guidelines provide a framework for limiting the risk of financial loss from fraud and other criminal activities. However, it is the responsibility of any organization that processes payment card information to develop its systems and protocols to meet compliance standards and provide payment card security, privacy, and other steps to reduce risk.
Your vendor agreement with your payment processor will tell you what penalties you will be subject to for PCI non-compliance. If you work with multiple payment processors, make sure you are familiar with them all. Each company may have different fines imposed on client companies for PCI non-compliance.
Review Your Seller Services Agreement
As data breaches reported in the press continue unabated, many executives are becoming aware of the risks posed by customer data breaches to their organizations’ financial health. While their focus is often on reporting and credit monitoring costs, a much-overlooked liability is a financial risk arising from Payment Card Industry (PCI) penalties, penalties, or assessments.
To process card transactions for payment, each organization must sign a Merchant Services Agreement with a merchant acquiring bank or a payment processor. This agreement binds the organization to strict adherence to the established Payment Card Industry Data Security Standards (PCI-DSS) as set by payment card brands at all times.
When a business decides to offer a payment option with credit cards, it will work with a financial institution to enact a Merchant Services Agreement (MSA). The terms of everything from the lease of POS systems to the fees paid for swiping credit cards, as well as the responsibility of all parties in the event of a data breach, will be spelled out in this agreement. The MSA will also determine that the vendor must comply with PCI security standards.
If a data breach involving payment card details occurs and the company is found to be non-PCI compliant at the time of the breach, the Merchant Services Agreement’s PCI contract damages may be equal to or greater than any warning or credit monitoring costs.
As you review the contract, you will likely find that all liability for a data breach passes from the financial institution to the vendor who issued the card or accepted it online. If an error caused the breach in the PCI security standards, the payment brands would penalize your financial institution.
Unsurprisingly, your financial institution will pass these penalties on to you. Penalties can range from $ 5,000 to $ 100,000 per month, in which non-compliance persists.
- Review your vendor services contract and find out exactly what obligations you have by signing the contract. Talk to your counselors to determine your comfort level with this risk.
- If you have cyber liability insurance, ensure that PCI Fines and Penalties coverage is included and provide your insurance is not limited to a minimal amount. While this coverage is typically available from any good cyber operator, it is not standard across all policies.
- Finally, if you don’t have cyber liability insurance and are getting credit cards, now is the time to monitor your compliance and security because perfect systems can still fail.