The Consequences Of Being PCI DSS Noncompliant

The Consequences Of Being PCI DSS Noncompliant | 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

The PCI DSS is mandatory for any business that processes credit card transactions. This is important stuff – not only are you taking a huge risk of a catastrophic data breach, there are stiff penalties for those who are found to be noncompliant.

But by whose authority is it mandatory? And where do the penalties come from?

This is a bit of a confusing subject for some people, and I hope this article clears things up.

Is PCI DSS The Law?

Strangely enough, unless you live in Nevada, PCI DSS is not actually a law. Many states have laws that directly reference the PCI DSS, but only in Nevada has it been specifically sworn into law.  The actual text of Nevada Senate Bill 227 can be found here and there are also no federal statutes that mandate PCI Compliance.

This seems strange though, doesn’t it? If, in general, the PCI DSS is not a law, then how is it mandatory?

The simple answer is that it’s a self-governing system set up by the PCI SSC on behalf of the card brands. It’s their primary criteria for your business being allowed to process their credit cards through your systems. No one is forcing you to comply with the PCI DSS, but if you refuse to play by their rules, they may not trust you with their credit card data.

On top of this, when you agree to process credit card data, you’re agreeing to the terms of the PCI DSS. And if you’re found to be PCI DSS noncompliant, you may be found in breach of contract.

It ought to go without saying, though, that I’m an IT security specialist and not a lawyer, and the above shouldn’t be taken as legal advice.

Repercussions For PCI DSS Noncompliance From Your Payment Processor

So, now we know that the PCI DSS is not the law, but you can still be fined as though it were a law. But what are the penalties?

First of all, if you’re found to be noncompliant, your payment processor will also be fined for working with a noncompliant company. These companies will likely pass that fine on to you, since the only reason they were found to be noncompliant was because of your negligence.

But there’s more than just financial penalties. Your payment processor and the credit card company may elect to end their relationship with you, which can be disastrous for a business that relies heavily on credit card transactions for its income. Your bank may also cut ties with you. Yikes.

Even if they do decide to keep you around, they may decide to raise your transaction fees, forcing you to either lose money on every transaction or raise your prices. This is bad news for anyone, but even moreso if you’re the type of business who relies on competitive pricing.

How Much Are The Fines?

The amount you’re fined for non-compliance varies depending on the card brand you work with. Each card brand has standard penalty system and while the exact amount you could be fined depends on many variables, it helps to get a general idea of how much you’re looking at. For more detailed information, consult the agreement you have with your payment processor and the various card brand security programs:

Visa US – Cardholder Information Security Program ( CISP )

MasterCard – Site Data Protection ( SDP )

Amex – Data Security Operating Policy ( DSOP )

Discover – Information Security & Compliance ( DISC )

JCB – Data Security Program ( DSP ).


The penalty system is laid out in a monthly fee system.  Generally, the longer you remain in noncompliance, the heftier your penalties will be. This provides extra incentive for you to become compliant as soon as possible.

Depending on how long it’s been since you’ve been noncompliant and how large your business is, the fees can range anywhere from $5000 to $100,000 a month. These fees aren’t widely discussed or publicized, but either way these aren’t small numbers, especially for a small business. On the heavy end, this could easily lead to more than $1 million in fines in less than a year.

The PCI SSC is serious about data security, and wants you to know about it.

The Consequences Of Being PCI DSS Noncompliant | 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

Penalties If You Are Compliant

Believe it or not, you can be found 100% in compliance with the PCI DSS and still receive a fine. This is what happens when you experience a data breach, and it’s part of the risk every company has to take if they’re going to be trusted with credit card data.

The unfortunate truth is that you can be in compliance with the PCI DSS and still experience a data breach from an ingenious hacker. This is an incentive for businesses to not only meet the minimum requirements, but go beyond to implement the best known cybersecurity practices.

If you do experience a data breach that results in a loss of credit card data, you could likely face a fine of $50 to $90 per credit card lost. On top of this, you may lose your relationship with your payment processors and banks, even though you were compliant.

Of course, a data breach can result in external consequences too – bad publicity, damage to your reputation, costs associated with customer credit monitoring, and lawsuits from affected customers, for example.  This is precisely why companies should consider a data breach protection policy.

How To Avoid PCI DSS Noncompliance

The truth is that it’s difficult for small and medium businesses to recover from PCI DSS noncompliance fees. Even if you don’t lose your relationships with your payment processors, your bank, and the credit card companies, the fines will certainly sting.

If you don’t know if you’re PCI DSS compliant, the truth is you’re probably not. Which makes it even more important that you contact 1st Secure IT today.

1st Secure IT is a registered QSA, which means we’re qualified to perform PCI DSS compliance audits on your business.

We can also monitor your business to ensure it remains PCI DSS compliant, since new software, updates, and glitches can pull you out of compliance without your noticing.

Don’t’ get caught with PCI DSS noncompliance – there’s too much on the line.

Contact 1st Secure IT today.

1st Secure IT

4613 N. University Drive #323
Coral Springs Florida
(866) 735-3369

Cyber Security Risk Management and Consulting Services | 1st Secure IT | When Compliance Is Not Enough

5 lessons to learn from Facebook’s Recent Scandal
IT Security Isn’t Just About IT


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 19 August 2019

If you need help getting started... Contact Us!