PCI Non-Compliance: Fees and Penalties Explained
Failing to maintain customer data privacy and security can lead to significant financial and reputational consequences
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is critical for any business that accepts credit card information over the internet. While compliance does not guarantee complete protection against data breaches, it does provide your customers — as well as payment processors and credit card companies — the peace of mind that you are taking security as seriously as possible.
Failure to comply with these standards can result in penalties, such as additional fees. Read on to learn more about how PCI non-compliance fees can impact your organization’s ability to accept payment — not to mention its bottom line.
Jump to a section…
What Is PCI Non-Compliance?
PCI non-compliance is the failure to adhere to the PCI DSS security standards outlined in the agreement made with your payment processor. Non-compliance can occur in several ways, including:
- Data breach: Complying with PCI DSS does not necessarily guarantee full protection against data breaches. However, if a merchant is found to be non-compliant after a post-breach investigation, it will be subject to fines and penalties until compliance is restored.
- Improper storage of credit card data: Writing down credit card information and leaving it in public view, lacking proper security for physical or digital payment records, or improper encryption of card data are all grounds for non-compliance.
- Insufficient protection of customer data: This includes poor password requirements and improper privacy or encryption standards.
The PCI Security Standards Council does not enforce compliance. Rather, it is up to individual payment brands to determine what is or isn’t considered compliant and to enforce compliance with their merchants. Each brand sets its own terms, which include the penalties invoked for failing to comply.
Are you PCI compliant? If you accept, process, store, or transmit card information, you need to be PCI compliant. Let our free checklist walk you through each of the 12 steps:
Is There a PCI Compliance Fee?
Payment processors like Square and PayPal work directly with credit card companies to help small businesses accept credit card payments via point-of-sale systems and over the internet. These processors need to ensure their credit card data remains secure, and some may charge a PCI compliance fee to offset the cost.
Typically, PCI compliance fees range from $8-10 per month, or $75-120 per year, though actual amounts vary between payment processors. Some processors may decide to waive the fee altogether and instead roll PCI compliance costs into other payments.
It’s easy to think merchants are being scammed by the PCI compliance fee, but usually, these fees allow the payment processor to provide additional services like regular security scans or data breach insurance. Be sure to investigate your payment processor’s terms of service and understand its fee structure before signing on.
Is There a PCI Non-Compliance Fee?
Failing to comply with PCI can carry hefty fines, and organizations will incur these fines monthly until their operations are brought back into compliance.
The severity of PCI compliance fines varies depending on several factors, including the size of the offending organization, the volume of transactions it processes, as well as the terms of the agreement of each credit card or payment processor.
Payment processors typically charge a PCI compliance penalty between $20-$50 per month if your account is found to be out of compliance and will continue to charge this fee until your account is made compliant. If your account remains negligent, the processor may deactivate your ability to charge credit cards until it is compliant — or may deactivate your account entirely.
Credit card company fees are another matter. If a credit card provider finds your organization is non-compliant, you can expect fines of $5,000 to $100,000 per month, which can increase over time if an organization remains out of compliance.
Additionally, these companies can impose additional fines due to data breaches, even if an organization is in compliance. Again, these penalties often vary based on the size and scope of the data breach, as well as the payment processor’s terms of the agreement. Fines are usually a lump sum payment of up to $500,000 per incident or a fine per affected cardholder.
Other PCI Compliance Penalties
In addition to monetary penalties, organizations that fail to comply with PCI standards may be subject to the following:
- Required public breach notification: Organizations are required to notify the public of a data breach (whether the result of PCI non-compliance or not) in all 50 states.
- Loss of ability to process payments: Businesses that fail to achieve PCI compliance after an extended period may have their ability to process credit card payments revoked. This will often be a temporary loss of access until compliance is restored, but egregious examples may permanently lose the ability to accept credit card payments via their partnered processor.
- Lawsuits: Organizations that suffer data breaches and are found to be doing business out of compliance may be subject to class-action lawsuits, resulting in a loss of time and money for lawyers and/or settlements.
- Loss of trust: Business partners and the greater public will be far less likely to trust their financial information with businesses that have proven to be non-compliant.
Maximize PCI Compliance With DuploCloud
Achieving PCI compliance is a serious matter, but it’s not easy. There are numerous controls to consider, and it can take months for even large development teams to bring a live software application into compliance.
That’s why we built DuploCloud, which automatically applies the PCI DSS set of security controls across cloud-native application deployment and provides active, 24/7 monitoring to reduce the likelihood of losing compliance. Read our whitepaper to discover how DuploCloud can enhance security while decreasing cloud operating costs and reducing your time to go-live.