Connect with us


Penalties You Might Get for Non-Compliance with PCI



When we come to the card industry, each company that accepts payments should meet regulatory requirements. Most of these are about protecting confidential customers’ information during storing and transferring. For security purposes, companies can implement data security products that will help them to provide high protection standards and also to match industry rules.  

However, if security efforts are failed, a company would be fined and penalized. For example, a company might be punished to pay fines in the range of $5000-100000, depending on the type of enterprise and damage caused to the customers. 

Thus, if the company doesn’t meet standards it may face such troubles as: 

  • Fines and penalties. For violating requirements, businesses pay significant costs as punishment.    
  • Litigation. The customer whose confidential information was compromised can sue the company, which usually means additional costs for businesses because of legal battles.
  • Reputation. Once clients’ data was leaked or used for fraud, a company can face a significant reputation loss among customers. Because of a bad reputation, a company in some cases can even become bankrupt. 

Requirements Violation 

With industry rules, companies should pay attention to following demands. Requirements claim that businesses must ensure that all of the user’s personal information is well protected. You can violate rules in such cases if: 

  • There is no secure storage, where data is kept. 
  • Merchant’s POS terminals work via unprotected systems and environments which don’t meet PCI.      
  • Both customers’ and employees’ passwords or usernames are not protected enough. 

Even if it may seem like an obvious thing, some companies can ignore these key demands, which then lead to fines and penalties, once the data is leaked or the system is hacked.  

Who Can Fine the Company and How Much You Can Pay  

As PCI standards are more about self-regulation within the industry, governmental institutions are not involved. Thus, the ones you can punish a company for its non-compliance are acquiring banks (payment processors) and card issuers. 

The size of possible fines may usually vary depending on banks and issuer brands. However, it is worth noting that the time duration of how long the company has been non-compliant can increase the size of penalties as well.    

Thus, we can consider approximate fines, which the company can be ordered to pay in different cases, based on how long the violation of the requirements lasts and whether these are high-volume or low-volume customers:

  • 1-3 Months. Fines can take $5000 or $10000 per customer (for high-volume or low-volume customers accordingly)
  • 2-4 Months. Fines can take $25000 or $50000 per customer 
  • 4-6 Months. Fines can take $50000 or $100000 per customer    

Data Breaches Fines 

Being compliant with standards is only half the way. Another important thing is to ensure that companies have a high level of security in their systems to avoid any possible breaches. 

Together with fines for non-compliance with rules, there are also penalties and negative aftermaths for breaches: 

  • The company may be fined $50-100 per customer whose CHD or other confidential information was revealed. 
  • Once breached, the arrangement between the company and the acquiring bank may be terminated. 
  • The company can lose both its reputation as a reliable business and customers.     

Depending on the size of the enterprise and circumstances, the business can face penalties in the range of $5000-500000. Also, companies that accept payments can be fined $3-5 per card, which was compromised.   

How Card Issuer Brands Can Fine Companies

Besides penalties from regulators for industry rules violations, companies can also be fined by their payment brands (such as acquiring banks or card issuers). 

For example, a few years ago Visa and Mastercard expanded their list of settlements (Account Data Settlement) that apply to merchants. Thus, companies that violate demands will be fined €3000 for each ADC as a case fee. Also, there are a €3 fine per card, which is at risk of being compromised, and an additional €18 penalty if that card’s CVV is compromised as well.   

Penalties for Non-Compliance with Requirements 

There is a wide range of fines, penalties, and fees the company may face, which include:

  • PCI standards violation. If the company doesn’t match with demands, it can be penalized by regulators with $5000-100000 fines, depending on the enterprise’s size. Together with that, an acquirer bank can also punish the company. 
  • Card replacement. If customers’ cards were compromised, the company should pay $3-5 per card to be replaced. Which may take a significant cost, especially if thousands of users’ cards were compromised.      
  • Legal battles. If a customer sues the company for causing damage, a business may be ordered to pay costs for judgment.  
  • Audit costs. Once the company’s security system has failed, regulators can start an audit and investigation, which also means additional costs for businesses. 
  • Protection technologies implementation. To ensure that the company won’t make the same mistakes in the future, it can be ordered to invest in fraud prevention technologies and products, which also means additional costs. for business.

What to Do if Breached 

To minimize the risks, if something goes wrong, companies are recommended to take the next steps: 

  • Report an acquirer bank about security breaches
  • Lock the damaged system, thus preventing both access and modifying
  • Turn off your system 
  • Try to back your system up  
  • Register all the actions that were taken while being logged into the system
  • Contact security consultant
  • Take a snapshot for the next analysis 

How to Avoid Risks Related to PCI 

The main things here are to take into account all of the industry requirements and to sign a contract only with a reliable vendor, which meets demands and can provide you with quality PCI DSS compliance solutions.   

In addition, it is worth having insurance for various security threats for penalties coverage in the case of hacks, breaches, or rules violations.

Sky Palmer is an award winning film director who pivots during the 2020 pandemic to create a platform called Pressful. Pressful.com a new platform to get on-demand press interviews by journalists and get press coverage. 

Become A Crypto Expert


Recent Stories


Copyright © 2022 Disrupt ™ Magazine is a Minority Owned Privately Held Company - Disrupt ™ was founder by Puerto Rican serial entrepreneur and philanthropist Tony Delgado who is on a mission to transform Latin America using the power of education and entrepreneurship.

Disrupt ™ Magazine
151 Calle San Francisco
Suite 200
San Juan, Puerto Rico, 00901

Opinions expressed by Disrupt Contributors are their own. Disrupt Magazine invites voices from many diverse walks of life to share their perspectives on our contributor platform. We are big believers in freedom of speech and while we do enforce our community guidelines, we do not actively censor stories on our platform because we want to give our contributors the freedom to express their opinions. Articles are not commissioned by our editorial team, and opinions expressed by our community contributors do not reflect the opinions of Disrupt or its employees.
We are committed to fighting the spread of misinformation online so if you feel an article on our platform goes against our community guidelines or contains false information, we do encourage you to report it. We need your help to fight the spread of misinformation. For more information please visit our Contributor Guidelines available here.

Disrupt ™ is the voice of latino entrepreneurs around the world. We are part of a movement to increase diversity in the technology industry and we are focused on using entrepreneurship to grow new economies in underserved communities both here in Puerto Rico and throughout Latin America. We enable millennials to become what they want to become in life by learning new skills and leveraging the power of the digital economy. We are living proof that all you need to succeed in this new economy is a landing page and a dream. Disrupt tells the stories of the world top entrepreneurs, developers, creators, and digital marketers and help empower them to teach others the skills they used to grow their careers, chase their passions and create financial freedom for themselves, their families, and their lives, all while living out their true purpose. We recognize the fact that most young people are opting to skip college in exchange for entrepreneurship and real-life experience. Disrupt Magazine was designed to give the world a taste of that.