Equifax was famously fined $425 million for a 2017 data breach that exposed the personal information of 147 million people, including their credit card numbers. It is one of the most notable PCI violations since the standard came into effect.
Learn more about potential PCI fines and penalties below.
What are the consequences of PCI non-compliance?
Companies are not legally required to be PCI compliant, but the standards are mandated by payment card companies including Visa, Mastercard, American Express, and other major card brands.
As such, PCI DSS compliance is part of a contractual relationship between an acquiring bank and the payment card companies they have a relationship with. The acquiring bank will likely pass any fines down to merchants and service providers that do not comply with PCI or fall out of compliance. In turn, these acquiring banks could require PCI DSS compliance from any merchants looking to connect with the bank's services or ones that could impact the security of cardholder data.
Service providers could also be responsible for certain PCI DSS requirements based on the services provided to merchants or organizations that handle cardholder data.
As a service provider, you might receive a request from an organization to be PCI DSS compliance if your services impact the cardholder data being managed by that organization or if you are responsible for certain PCI DSS requirements the organization needs to uphold. An example would be if you are a colocation center you would be responsible for the physical security of cardholder data, your customers would need to ensure you are upholding the PCI DSS requirements for those controls.
In addition to facing fines and penalties, these businesses will likely suffer less tangible consequences like the loss of reputation and customer trust.
PCI DSS fines and penalties
PCI DSS non-compliance can result in millions of dollars in fines. The exact amount depends on the payment card company as well as factors such as the size of the business, the number of customers affected, and the length and degree of non-compliance.
It’s important to note that payment card companies do not have data posted publicly about the fines and penalties they may impose for PCI DSS violations. However, we can get a sense of how much PCI DSS violations might cost merchants by looking at examples of real-world data breaches and subsequent settlements. Below are some of the most noteworthy examples.
Target - $292 million
In 2013, hackers stole data from up to 40 million credit and debit cards of shoppers who had visited Target stores during the holiday season.
The Attorneys General of Connecticut and Illinois led an investigation into the breach and found that cyber attackers had accessed Target's gateway server through credentials stolen from a third-party vendor.
As a result, Target agreed to pay $18.5 million to resolve the multi-state investigation and settle claims by 47 states and the District of Columbia. This was in addition to $10 million they paid to resolve an earlier class action lawsuit as well as fines they paid to payment card companies and banks, including:
- $19 million to Mastercard
- $67 million to Visa
- $39.4 million to banks and credit unions for losses and costs related to the breach
Adding in the cost of legal fees, the total costs of their PCI non-compliance was reported as $292 million in their 2016 annual financial report.
Heartland Payment Systems - $140 million
In 2008, hackers launched a massive attack against Heartland Payment Systems and made off with as many as 130 million debit and credit cards.
Heartland had to pay millions in fines and legal fees, including:
- $60 million to Visa
- $41 million to Mastercard
- $5 million to Discover
- $3.5 million to American Express
- $26 million in legal fees
It was also banned from processing payments of major credit card providers for 14 months following the discovery of the breach.
TJX - $256 million
In 2007, TJX announced that 46 million credit and debit card accounts were hacked in a data breach going back as far as 2003. It was later discovered that at least 94 million customers had been affected.
TJX had to pay millions in fines to payment brands, including $41 million to Visa and $24 million to Mastercard. It also paid $9.75 million in a multi-state settlement.
In addition to other fines and legal fees, the total cost of the breach was estimated to be $256 million.
Costs of a data breach
A credit card data breach can cost your company thousands in incident response and remediation: forensic investigations, legal fees, FTC audit costs, cardholder notification costs, customer compensation costs — even paying higher rates to banks and payment processors.
And that doesn’t even cover the loss of customer loyalty and brand reputation.
Any breach that compromises cardholder data also automatically moves your company to PCI compliance level 1 no matter how many transactions you process. Level 1 compliance requires a full assessment against the report on the compliance by a QSA.
Loss of merchant license
Payment card companies do not fine merchants directly for non-compliance. Instead, they fine the acquiring banks that process merchants’ credit card transactions. Acquiring banks then likely pass these fines along to the merchants.
As a result, merchants may face additional penalties for PCI non-compliance from banks. For example, the bank may increase its credit card transaction fees, implement stricter audit requirements, or terminate their relationship with the merchant altogether.
If your merchant license is revoked, you will no longer be able to accept credit card payments.
Additional PCI non-compliance risks
Costly fines aren’t the only risks when it comes to PCI non-compliance. Here are a few more potential consequences of non-compliance:
- Legal action taken by individuals whose data has been compromised
- Decreased sales due to damaged reputation and loss of customer confidence
- Fraud losses