Consequences of non-compliance: Understanding PCI DSS fines and penalties

Oro provides content designed to educate and help audiences on their compliance journey.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines for businesses to manage and secure credit card data. Established by major credit card companies like Visa, Mastercard, and American Express, the PCI DSS aims to ensure the security of credit card transactions. Becoming PCI DSS compliant is crucial, as failing to comply with these guidelines can have severe consequences. 

“PCI security compliance is a business management discipline, not an information technology discipline.” – Verizon Payment Security Report, 2022

The costs of non-compliance can include both financial penalties and indirect consequences, such as reputational damage and loss of business opportunities. What exactly constitutes these fines and penalties, and how can businesses steer clear of them? In this post, we’ll cover the monetary penalties for non-compliance, the indirect consequences, and the key players enforcing PCI compliance.

Key takeaways

• Non-compliance with PCI DSS can lead to hefty fines and reputational damage
• Card Brands and Acquiring Banks are key players in enforcing compliance
• Businesses must follow the PCI DSS roadmap and manage ongoing compliance to protect customers’ payment data and avoid legal action

Understanding PCI DSS fines

To protect customer data and avoid legal action, businesses must adhere to the PCI DSS roadmap and consistently manage compliance. But non-compliance consequences extend beyond immediate fines and penalties. A damaged reputation can result in diminished trust among customers and partners, complicating recovery from a data breach or PCI non-compliance fallout. 

Monetary penalties for non-compliance

Fines for small businesses can be severe, ranging from $5,000 to as high as $50,000 per month. Therefore, it’s important for these businesses to follow appropriate rules and regulations. Bigger companies may face fines that reach millions of dollars. These fines are usually imposed by Card Brands and Acquiring Banks for failing to adhere to the PCI DSS requirements.

Aside from the PCI fines imposed by Card Brands and Acquiring Banks, businesses may also face additional penalties for not following other PCI Security Standards Council (PCI SSC) standards, such as the PCI Software Security Framework and the PIN Transaction Security (PTS) standard.

Ultimately, non-compliance with the PCI DSS can lead to substantial financial consequences. Therefore, businesses must grasp and abide by these guidelines.

Since the release of PCI DSS v1.0 in 2004, most organizations continue to struggle with achieving and maintaining effective, sustainable payment card data security. Those that succeed in maintaining all their PCI DSS requirements year-round—rather than ongoing remediation for the sake of passing an annual assessment—implement a strategy and design based on sustainable, well-developed goals.  – Verizon Payment Security Report, 2022

Indirect consequences of non-compliance

Aside from the financial penalties, the indirect consequences of PCI non-compliance can be equally damaging. Businesses that fail to comply with the PCI DSS may experience a loss of customers, partners, and potential business opportunities due to the increased risk perception and reputational damage. 

Additionally, non-compliance may make other MATCH (Member Alert to Control High-risk Merchants) list criteria more likely, resulting in even more significant costs for businesses.

So, businesses must prioritize PCI DSS compliance and invest in the required resources to fulfill these requirements.

Legal implications of PCI non-compliance

In addition to the financial and reputational consequences of non-compliance, businesses may also face legal implications if they fail to adhere to PCI DSS requirements. Some state laws in the U.S. effectively enforce components of PCI compliance, making it essential for businesses to understand and adhere to these requirements. Furthermore, non-compliant businesses may face legal action, such as lawsuits and government actions, which can result in further financial and reputational damage.

State laws and PCI compliance

While the PCI DSS is a security standard and not a law, certain states in the U.S. have enacted laws that effectively enforce components of PCI compliance. States such as Nevada, Washington, and Minnesota have laws that make some or all PCI DSS standards official, requiring businesses to comply with these requirements or face potential legal consequences.

Legal action against non-compliant businesses

Non-compliant businesses may face legal action, such as lawsuits and government actions, which can result in further financial and reputational damage. These legal actions may stem from a failure to comply with PCI DSS requirements or state laws enforcing components of PCI compliance, emphasizing the importance of adhering to these guidelines and maintaining a proactive approach to data security.

Key players in PCI compliance enforcement

As we’ve seen, there are several key players in PCI compliance enforcement, including:

• Payment processors
• Acquiring Banks
• Credit card companies

These entities play a crucial role in ensuring that businesses adhere to the PCI DSS guidelines and face penalties if they fail to do so.

Subsequent sections will further explore the roles of payment processors and acquiring banks, and the roles of the card brands in enforcing PCI compliance and levying fines and penalties.

Payment processors and Acquiring Banks

Payment processors and acquiring banks are companies that process credit and debit card payments for merchants. They are responsible for ensuring that merchants follow the PCI DSS standards and monitoring their compliance. 

The fines imposed by the Card Brands and Acquiring Banks on merchants for non-compliance can range from $5,000 to $100,000 per month. These fines, along with credit monitoring fees, can impose substantial financial strain on businesses, underscoring the necessity of abiding by the PCI DSS requirements.

In addition to the PCI compliance penalties, Card Brands may also impose penalties for not following other PCI SSC standards. This further highlights the importance of understanding and complying with all relevant PCI guidelines to avoid financial penalties and maintain a positive relationship with acquiring banks.

Card Brands

Card Brands also play a significant role in ensuring PCI compliance among businesses. These entities partner with the acquiring banks, and the acquiring banks work with the merchant services providers to ensure that businesses meet the PCI DSS requirements and impose fines or penalties if they fail to comply. 

The penalties imposed by Card Brands for non-compliance can vary by region and brand, making it essential for businesses to understand the specific requirements imposed by their partners.

Knowing the PCI DSS requirements and the penalties levied by their partners enables businesses to comprehend the potential consequences of non-compliance and take appropriate steps toward maintaining PCI compliance. This approach not only helps businesses evade financial penalties but also nurtures trust among customers and partners, contributing to their ongoing success.

Three real-life examples of PCI DSS fines and penalties

Now, let’s take a look at some real-life examples of businesses that faced significant fines and penalties due to non-compliance.

These examples act as stark warnings for businesses, underscoring the significance of adhering to the PCI DSS requirements and the possible ramifications of non-compliance.

Target and Home Depot

Target and Home Depot are well-known examples of businesses that experienced massive data breaches due to PCI non-compliance. 

In 2013, a data breach occurred at Target, which resulted in the exposure of millions of customers’ credit card information. Target paid a US$18.5 million multistate settlement, the largest ever for a data breach at the time, to resolve state investigations of the 2013 cyber attack that affected more than 41 million of the company’s customer payment card accounts. 

Similarly, Home Depot experienced a data breach in 2014 that compromised 56 million credit cards between April and September 2014 (Source: USA Today.) 

These examples serve as a stark reminder of the potential financial and reputational consequences of non-compliance, emphasizing the importance of investing in PCI compliance measures and staying vigilant to avoid similar issues.

TJX Companies 

Between July 2005 and December 2006, over 94 million accounts were exposed at TJX Companies, a major off-price retailer. More than 80 GB of stolen cardholder data got illegally transferred to a site in California. As a result, TJX Companies was fined $40.9 million by Visa, MasterCard, and other credit card companies.

These real-life examples serve as a warning to businesses about the potential consequences of non-compliance with the PCI DSS requirements. By understanding the potential risks and taking the necessary steps to achieve and maintain PCI compliance, businesses can protect themselves from the financial and reputational fallout that can result from a data breach or non-compliance.

Steps to achieve and maintain PCI compliance

Achieving and maintaining PCI compliance involves following the PCI DSS roadmap, which includes adhering to the 12 PCI DSS requirements and ongoing compliance management through yearly assessments and updates: 

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

By understanding these requirements and taking the necessary steps to meet them, businesses can avoid the potential consequences of non-compliance and ensure the security of their customers’ payment card data.

The sections that follow will discuss the process of adhering to the PCI DSS roadmap and the significance of ongoing PCI compliance management in maintaining continual compliance with the requirements.

Following the PCI DSS roadmap

The PCI DSS roadmap is a set of rules and guidelines that businesses must follow to become PCI compliant and keep payment card data secure. The 12 PCI DSS requirements are divided into six sections, covering various aspects of data security and protection, such as:

1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

Comprehending and implementing these 12 requirements can assure businesses they are taking the necessary steps to meet the PCI DSS standards and safeguard their customers’ payment card data. Such actions not only assist businesses in avoiding potential non-compliance consequences but also build trust with customers and partners, contributing to enduring operational success.

Ongoing PCI compliance management

Ongoing PCI compliance management is crucial for maintaining adherence to the PCI DSS requirements. This involves:

• Regular assessments, including internal and external vulnerability scans and reviews of security policies and procedures
• Updates, which involve modifying security policies and procedures to remain in line with PCI DSS requirements, including updating software and hardware and implementing new security measures

This ongoing management process helps businesses stay on top of PCI DSS requirements and proactively address any potential issues that may arise, ensuring the continued security of customers’ payment card data.

Foster trust through PCI DSS compliance with Thoropass

PCI Data Security Standards (PCI DSS) is required for any businesses that process, store, or transmit credit cards and is enforced by the Card Brands and Acquiring Banks. Thoropass streamlines and accelerates your certification by combining automation with self-assessment support and expert insights. Get certified faster with less work and headaches.

---