PCI Compliance Fees, Fines, Penalties

Blog / PCI Compliance Fees, Fines, and Penalties: What Happens After a Breach?

The PCI Data Security Standards are a set of rules designed by the credit card brands to enforce card data security. Though these are industry rules rather than laws, they can result in stiff fines and penalties for businesses, and even cost a business the ability to process credit cards. What’s more, these rules impact every business that collects, processes, or transmits card data – from mom and pop shops to retail titans.

What happens to a business when it’s caught out of compliance?

PCI Compliance Fines and Penalties

Let’s say your business has suffered a data breach. First, the card brands will go to your acquiring bank (the bank that processes credit card transactions for you) and assess how well the bank has tracked your PCI compliance. Once they’ve ascertained the bank’s level of monitoring and enforcement, they may fine the bank if you were not compliant at the time of the breach, and there will typically be penalties related to the breach as well. And the bank will very likely pass on PCI compliance fines and penalties to you.

You’ll hear talk of PCI compliance fines, and those fines can range from $5,000 to $100,000 a month, depending on factors like the size of your business and the length and degree of your non-compliance. This fine could be assessed monthly – rising over time – until you’re in compliance. If you still don’t comply, your ability to take credit cards may eventually be revoked.

We should note that the card brands may impose a separate penalty for a data breach, even if you were in compliance with PCI rules when the breach occurred. The card brands don’t publish the amounts of these penalties, but they’ll no doubt be higher for businesses that are not in compliance with PCI rules when they suffer a breach.

What to do When You Experience a Data Breach

When you experience a data breach, the implications go beyond PCI. All 50 states have breach notification laws related to personal information, so if anyone’s name and address has been compromised, you likely have a notification obligation even if no credit card numbers were accessed.

After a breach, take responsibility and minimize the impact as much as possible.Tackle the problem head on and try to ensure it doesn’t happen again. Make sure individuals whose data was compromised are protected – this may mean taking out an identity protection policy for affected customers.

To protect yourself as best you can against this situation occurring in the first place, we recommend checking out the PCI Security Standards Council’s web page designated for merchants getting started. This page provides good resources to help you better protect your customers and your business.

If you need PCI DSS guidance, we’d love to help. Our team of information security professionals can walk you through the entire process from readiness to completed assessment.