PCI DSS Fines: How Much Will It Cost?

Subabrata

Subabrata

Aug 11, 2023

PCI DSS Fines

A fine of $145 million and a ban from processing card payments for 14 months. That was the PCI DSS fine Heartland paid for data theft of 100 million debit and credit card data from their site in 2008/2009. Target was another recent recipient of PCI DSS fines—they paid $18.5 million in settlements and $202 million in legal charges in 2013 for the theft of 40 million credit card numbers.

The numbers are scary, but they paint an accurate picture of what could unfold in case of PCI DSS fines. Usually, you can expect a fine range from $5000 – $50,000, which is variable, and does not include legal and settlement amounts. The exact amount of PCI fines depends on different factors (we will address these factors in this blog).

What is PCI DSS, and does it Apply to Your Business?

But first, what is PCI DSS? Payment Card Industry Data Security Standards is a set of security requirements built to protect cardholder data from bad actors. And unlike other security compliance such as SOC 2 or ISO 27001, PCI DSS is mandatory for businesses that process card transactions.

It doesn’t matter whether your business processes less than 100 card transactions a year or more than 100 million a year; PCI DSS covers all businesses under different levels based on the number of payments they process in a year:



Levels of Organization


No. of Card transactions per year
Level 1Over 6 million card transactions per year.
Level 21 – 6 million transactions per year.
Level 320,000 to 1 million transactions per year.
Level 4Fewer than 20,000 transactions per year.

Refer to this video for learning more about PCI DSS


Now that you know what PCI DSS is, let’s get into what are the causes of  PCI DSS fines and how much it can cost you.

Causes of PCI Fines and How Much Can It Cost You?

You should expect fines from your payment processors and banks if your company faces a data breach that compromises cardholder data (more on this ahead). Additionally, other reasons could lead to a PCI fine, these are:

1. PCI DSS violation

If you accept card payments from your customers, you must have signed a contract with a payment processor, such as Paypal or Stripe. And these contracts have a clause mandating PCI DSS compliance. Violating the clause leads to sizable PCI fines.

While different payment processors have their range of fines for non-compliance, there is a typical range of PCI fines, based on the period of non-compliance and volume of transactions, that you can expect from your payment process.

Period of Non – Compliance Expected PCI fines against volume of transaction.
1 to 3 months$5000/month for lower volume. 

$10,000/month for higher volume.
4 to 6 months$25,000/month for lower volume.

$50,000/month for higher volume.
7+ months$50,000/month for lower volume.

$100,000/month for higher volume.


2. Data breaches or security incidents

Being PCI compliant does not ensure total security because malicious actors are using innovative methods to cause data breaches. This serves as a reminder that you should take extensive security measures to protect your business.

And in case there is a data breach or security incident that compromised your cardholder environment, you will be fined around $50 – $90 per affected customer – remember, this is a compensation amount – your customer may file a lawsuit, which could cost you numbers that go up to a million dollars or more. 

For example, after a major data breach in 2017, Equifax paid $500 million in settlements, and those impacted can file claims for expenses until January 2024 for any identity theft or fraud caused because of that data breach.

3. Failure to report a PCI DSS violation

A cardholder data breach is bad news, but not reporting the breach within a specified time will add insult to injury (along with hefty PCI fines). The fine for not notifying a cardholder about data theft varies with payment processors and the size of the data theft. But how much can it cost you? The answer lies in the contract between you and your payment processor.

The case of Uber – though not a case of PCI fine – helps to understand what could happen if a data breach is not reported on time. In 2016, the personal data of 56 million customers of Uber was stolen and instead of reporting the theft, Uber made a $100,000 deal with the hackers to delete the stolen data. This action led to a fine worth $148 million.

4. Using non-compliant service providers

We understand how hard it is to continuously use robust security practices to protect your customer data, but have you looked at the PCI DSS compliance status of your service providers? 

If you rely on third-party service providers with your cardholder environment, such as payment processors or hosting providers you have to ensure that they are PCI DSS compliant with the latest version (i.e., PCI DSS 4.0). You may ask them about their status or check with the acquiring bank.

This is important because you will be held accountable for the theft and face hefty PCI fines if a data breach occurs due to their negligence.

The mentioned four points are some common causes that can cost you hefty PCI DSS fines. Fines that can go up to millions of dollars (like in the case of Target, Equifax, etc.), but is monetary compensation all that you pay as PCI fines? A big NO!

In the next section, we will discuss the other ways you pay for PCI DSS violations.

Find out: How to get PCI DSS certified

Consequences of not being PCI compliant

PCI non-compliance can lead to penalties that can range from $5000-$10000/per month by card companies and banks, depending on the volume of clients and transactions. (check out: PCI non-compliance fee)

We have already discussed two consequences for PCI non-compliance, namely, legal charges and PCI fines. Now, let’s learn about a few more. 

1. Ban from processing card payments

A Forbes Advisory survey from February 2023 found 54% of American consumers use debit cards, 36% credit cards, and only 9% prefer cash as a mode of payment.

The Forbes survey has enough social proof for the popularity of card transactions, thus making it a must in your sales funnel. But if your business is PCI non-compliance the popular payment card brands (like Visa, American Express, Mastercard, etc.) can ban you from processing card payments. 

Given the popularity of card payments, this will directly increase the churn rate at the bottom of the funnel (BOFU).

2. Increased chances of data breaches

A PCI non-compliance status means an organization has not implemented adequate security measures to protect the cardholder environment. This leaves organizations vulnerable to data breaches, unauthorized access, and other security issues.

Being non-compliant is an open invitation for malicious actors to tamper with your data and exploit security vulnerabilities. And if there is data theft, you’d welcome another consequence of PCI non-compliance known as reputational damages. 

3. Reputational damage

It is possible to regain any monetary amount lost in PCI fines over time, but reputational damages are hard to recover even with years of effort.

Reputational damage happens when the news of a data theft followed by a PCI violation hits the industry and spreads like wildfire. Such a report puts your organization under public scrutiny and brings bad publicity that leads to your customers losing their trust, stakeholders, and partners pulling out their money, and a downfall in your sales.

Also, read 11 best practices for PCI DSS compliance.

Conclusion

PCI fines can vary, and the exact amount depends on factors such as compliance status, the size of the data breach, the impact on your customers, and the period of non-compliance.
Continuous monitoring of the cardholder data environment is a good way to prevent PCI fines. However, it is easier said than done, given the complexity of PCI DSS security requirements and the ever-evolving strategies of malicious actors.

In such cases, an automation tool that can flag inconsistencies in your PCI DSS security system and suggest steps to mitigate them can be beneficial. Sprinto does exactly that. With Sprinto, you can accelerate your compliance journey by simplifying control mapping, enabling continuous monitoring, automating evidence collection, driving PCI-DSS training, and more. Curious to know more? Talk to our experts now!


FAQs

How to avoid PCI fines?

The best way to avoid PCI fines is by having robust security requirements and continuously monitoring the cardholder environment for vulnerabilities. You can use an automated tool, like Sprinto, for efficient continuous monitoring.

Is it mandatory to be PCI compliant?

Yes, it is important to remember that, unlike other compliance frameworks such as SOC2, ISO 27001, and NIST, being PCI compliant is a legal requirement.

PCI fines in the UK?

A PCI violation can cost around $5000-$100000/per month which is roughly around 4800-80000 in GBP – even millions. In 2017, for example, British Airways was fined $229 million for a data breach that affected 500,000 customers.

Subabrata

Subabrata

Subabrata is a person of science and words. He’s the one who gets fascinated by most things, and lately, cybersecurity and compliance have lured him. From the day seven of learning about cybersecurity, he made a motto to make the industry jargon-free and accessible to all. Besides words, you can catch him with books, movies, and jamming to music. Find him on LinkedIn: @subabrata nath.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.