PCI compliance penalties include both direct fines and other expenses, like opportunity and operational costs from PCI governance and your clientele. Non-compliance often means you’re at greater risk for cybercrime, which leads to even greater expenses.
Is your organization working toward PCI compliance? Request a free consultation today.
PCI Fines: the Cost of Non-Compliance
The Payment Card Industry (PCI) Security Standards Council (SSC) requires organizations that process credit card payments and information to comply with the Data Security Standard (DSS).
Failure to comply with the PCI DSS can result in:
- Direct monetary fines leveraged by the SSC
- Other penalties enforced by SSC stakeholders
- Indirect penalties and related expenses
Working with a PCI compliance advisor is the best way to avoid PCI compliance penalties.
Monetary Penalties for PCI Noncompliance
If your organization breaks PCI compliance by failing to implement controls or assessing and reporting on security per PCI SSC guidelines, you will likely pay monetary penalties. These may be assessed by the SSC or one of its stakeholders, all of whom process violations differently.
As of 2023, the baseline PCI non compliance penalties break down as follows:
- Charges of $5,000 to $10,000 per month for the first three months of noncompliance
- Charges of $25,000 to $50,000 per month for months four through six of noncompliance
- Charges of $50,000 to $100,000 per month after the seventh month of noncompliance
Beyond the costs of non-compliance, there are also PCI breach fines. Each customer whose information was compromised in a data breach, irrespective of PCI compliance, can incur a $50 to $90 penalty to your organization. Collectively, these can amount to $500,000 at maximum.
It should be noted that information on PCI compliance fines is not made readily available by the SSC or its stakeholders. In practice, fees and penalties may be mediated through third parties such as banks or other intermediary institutions, which could amount to higher overall costs.
Assess your PCI compliance
Other Penalties Enforced by SSC Stakeholders
PCI compliance is governed by the SSC through its Founding Members: Visa, Mastercard, JCB International, American Express, and Discover. These stakeholders oversee most matters of verification, setting thresholds for assessment reporting. They also oversee the enforcement of PCI compliance penalties, including direct fines and other consequences, at their discretion.
For example, an individual SSC stakeholder may offer decreased regular fees and rates based on PCI compliance—or raise them in the case of non-compliance or a data breach. Whether it’s framed as a lost benefit, declined preferential treatment, or a penalty, increased costs for your operations as a result of PCI non-compliance is yet another cost burden, beyond direct fines.
SSC stakeholders can also seize your organization’s ability to process payments entirely.
Terminated Merchant Files (TMF) and the MATCH List
Arguably the most impactful potential consequence of PCI non-compliance is winding up on a Terminated Merchant File (TMF). TMFs are lists of organizations that credit card companies will not work with due to their high potential for risk to the card issuer and other stakeholders. If your organization fails to maintain compliance or experiences a breach, you may wind up on one.
Besides ceasing credit card payment processing, TMF listing can have other harmful effects.
For example, many organizations use the Mastercard Alert To Control High-risk Merchants (MATCH) List to vet strategic partners and competitors. Criteria for inclusion on the MATCH list include but are not limited to the following codes, which act as labels for organizations on it:
- 01 – Account data compromise
- 02– Common Point of Purchase (CPP)
- 03 – Laundering
- 04– Excessive Chargebacks
- 05 – Excessive Fraud
- 08 – Mastercard Questionable Merchant Audit Program
- 09 – Bankruptcy, Liquidation, or Insolvency
- 10 – Violation of Standards
- 11 – Merchant Collusion
- 12 – PCI Data Security Standard Non-compliance
- 13 – Illegal Transactions
- 14 – Identity Theft
PCI non-compliance also has the knock-on effect of making several other MATCH criteria more likely to occur. And the opportunity costs of winding up on a list like this are unfathomable.
Indirect and Other Consequences of Noncompliance
Aside from PCI compliance penalties leveraged by the SSC, there are other reasons avoiding non-compliance is paramount. First and foremost, related to the TMF issue above, is potential reputational damage. Even if an organization is able to avoid placement on the MATCH List or other TMF, word will get out about its failure to secure customers’ sensitive information.
Non-compliance could make existing or potential clients and customers less willing to purchase your goods and services. Existing and potential partners may cease working with you, and you could fail to win contracts if your competitors offer comparable rates with greater security.
PCI non-compliance signals increased risk—and nonchalance about its implications.
Increased Likelihood of Data Breaches and Cybercrime
PCI compliance assures the SSC that your organization takes sufficient measures to protect cardholder data (CHD) from cybercriminals. The assessment and reporting required provide documentation of the controls you have in place to prevent and mitigate threats to your IT environment. It means attacks are less likely to happen or succeed if they do happen.
PCI non-compliance, conversely, indicates a lack of protection. It means you’re more likely to be targeted and less likely to withstand an attack if it occurs. A whopping 93% of experts predict a “catastrophic” cybersecurity event is on the horizon, per a report from the 2023 World Economic Forum. And the average cost of breaches is expected to reach $5 million in 2023.
All this means that organizations should be expanding their cybersecurity infrastructure, not contracting it. PCI non-compliance is a failure to meet relatively basic protection standards that all payment processing organizations should have in place, making you extra susceptible.
The costs of an attack that PCI compliance would have prevented could be debilitating.
Broader Compliance Concerns (PCI and Otherwise)
Finally, organizations need to account for the potential ramifications of PCI non-compliance on other regulations they’re subject to. Firstly, the SSC governs several other frameworks to safeguard CHD in various environments, like the Software Security Framework (SSF).
And, beyond the SSC’s, many organizations are subject to other kinds of regulations:
- Industry standards – Organizations in and around healthcare are subject to HIPAA; those that work with the government and military may need NIST or CMMC verification.
- Local data privacy laws – Organizations may face privacy regulations if they operate in a given state or collect data from its residents—for example, California’s CCPA laws.
- International regulations – Organizations may also be subject to the European Union’s GDPR, one of the most rigorously enforced global regulations, irrespective of location.
If you aren’t able to meet the PCI DSS Requirements, you may also struggle to meet other regulatory requirements. In cases like these, PCI fines may not be the only penalties you face.
Working with an advisor can help you streamline compliance across all applicable regulations.
Avoid PCI Fines and Remain Compliant Today
To recap, PCI non compliance penalties include direct and indirect costs leveraged by the SSC stakeholders, along with other expenses. If your organization fails to comply or falls victim to a data breach, you may be faced with exorbitant expenses, operational burdens, and opportunity costs. Your overall security and compliance with other regulations may also be at risk.
At RSI Security, we’re committed to helping organizations like yours achieve and maintain compliance. We offer advisory, implementation, and assessment services, all of which are based on the principle that the right way is the only way to keep your data secure.
To learn more about PCI fines and how to avoid them, contact RSI Security today!