What To Do About PCI Noncompliance

PCI DSS compliance.

You’ve likely heard this term. But what’s it mean? And what are the fines for PCI noncompliance?

PCI DSS is the Payment Card Industry Data Security Standard. It’s a promise companies make to safeguard sensitive card payment information according to PCI security standards. What if you don’t take proper care of customers’ sensitive information?

Maintaining PCI DSS requirements is complicated, but your business must remain compliant to avoid PCI noncompliance. Your business may face significant penalties if you break regulations, which could impact your entire organization.

Say your company has suffered a data breach. Major card brands, such as Visa, Mastercard, Discover, American Express and others, will want to know the details. Each payment card brand contacts your bank and evaluates tracking of your business’s compliance while processing your transactions. If this investigation finds you were out of compliance when the security breach occurred, the card brands might fine your bank. It’s ultimately your responsibility to ensure your business adheres to PCI DSS. Even if the bank drops the ball, it’ll likely pass the fines to your business.

Your bank might levy other consequences against your business, such as increasing individual transaction fees or even closing your account. Large companies can manage penalties, but for small businesses, they can lead to bankruptcy.

If you’re fined for noncompliance, you could face steep legal fees or other liabilities, and your brand’s reputation could be at stake. You could face steep legal fees and more. Your company’s reputation is on the line. So, what’s considered a violation?

What’s the Most Common PCI DSS Violation?

It’s not hard to violate PCI rules, especially if you don’t have modern systems to handle sensitive information. Most violations aren’t intentional, but they can still put personally identifiable information (PII) and PCI data at risk and incur legal action.

Some of the most common violations include: 

• Forgetting to close device screens showing cardholder information or leaving this information otherwise publicly available.
• Failing to store paper documents in locked file cabinets.
• Linking point-of-sale (POS) systems or machines with other company systems that don’t have PCI protections.
• Failing to sufficiently protect usernames and passwords of customers and employees.

Some of your business processes can result in a violation due to inadequate knowledge of best data protection standards. Ignorance isn’t an excuse; your business needs a merchant account partner who knows compliance rules. Zenti’s extensive knowledge and experience can take the worry out of PCI compliance.

What Fines Do Credit Card and Merchant Account Companies Impose?

When you sign your merchant services contract, you agree to pay if you don’t maintain PCI compliance. Fines and other penalties vary between merchant account providers. Merchants with high-risk accounts or high transaction volumes often face much harsher consequences. If credit card companies impose fines on merchant account processors for a merchant’s noncompliance, the merchant account processor typically forwards the fines to the merchant on their services bill. Even if a violation is accidental, merchant account providers won’t pay for your negligence.

Here’s the kicker: Penalties for PCI noncompliance can add up to 10,000 USD per month or more, and this fine can increase the longer you remain out of compliance.

Each month, a Qualified Security Assessor verifies your compliance status. Every month you remain noncompliant, you must pay the fine assessed. Your payment processor could also increase your account’s monthly fees on top of the noncompliance fine. You’ll also pay a per-customer fine if a data breach affects any of your customers.

It’s important to note that these fines are assessed or imposed differently than fines for government regulation violations.

Governmental violations involve the courts and evidence presentation. In PCI compliance matters, evidence principles are different. The card brand fines the processor, and the processor penalizes the merchant.

To offer a little perspective: Payment processors’ PCI noncompliance fines are minimal compared to fines imposed by city, state or federal entities for governmental violations of PCI compliance.

Actual noncompliance penalties vary between payment processors. While similarities exist, the amounts provided here are an average of what to expect if you fall out of PCI compliance. It’s a good idea to review your merchant account processing agreement and stay on top of PCI guidelines.

To better understand the penalties, think of it like this: Say a customer pays with a check, but the check bounces. The customer faces an insufficient funds charge imposed by their bank, and your business faces the same fee from your bank for depositing a bad check. Your business, in this example, forwards this fine to the customer with an additional fee.

Fines depend on how long you’ve been out of compliance and how long you’ve been with your merchant account provider. Here are some typical fines according to noncompliance timelines:

• 30 to 90 days in noncompliance: 5,000 to 10,000 USD per month with lower fines for customers with lower transaction volumes
• 120 to 180 days in noncompliance: 25,000 to 50,000 USD per month with lower fines for lower transaction volumes
• 210 days or more in noncompliance: 50,000 to 100,000 USD per month with lower fines for lower transaction volumes

Even businesses with lower transaction volumes could quickly go bankrupt in less than a year if they don’t bring their business into compliance. A merchant account with Zenti offers peace of mind that your business remains compliant with PCI DSS guidelines.

Are There Data Breach Penalties for Compliant Businesses?

What happens if your business experiences a data breach, but you’ve never fallen out of compliance? Even businesses that are 100% compliant aren’t impervious to a data breach. Any company conducting online transactions deals with the same risks. Hackers grow more sophisticated every year. Even perfect PCI DSS compliance may not be enough.

Full PCI compliance is only the minimum effort a business can invest. There are plenty more tactics to use to protect against data breaches. Even if you comply, you’ll still have to pay these if you experience a data breach.

Are There Other Types of Penalties for PCI Noncompliance?

Businesses in noncompliance face other penalties on top of fines. When your business doesn’t follow PCI DSS regulations, you could also:

• Lose your right to process credit card transactions.
• Be responsible for any fraudulent charges.
• Have to pay for each affected customer’s card replacement fees.
• Be required to undergo a forensic audit.

These additional penalties can put a dent in your revenue, making it even more difficult to pay those hefty PCI fines. If you don’t have significant cash flow, just one data breach could render you out of business. You could permanently damage your relationships with credit card companies, payment processors and your bank. These entities don’t want to work with businesses marked as PCI noncompliant.

What If This Is Your First PCI Compliance Offense?

If your merchant account provider decides to stick with you, your monthly merchant account fee likely will increase. Your per-transaction fees could also increase. You’d probably have to raise prices to meet those requirements if that’s the case. Your customers might resort to shopping with competitors offering similar items for less.

Large corporations can absorb these penalties without much of an effect. For a small business, it could be disastrous. And if a data breach also puts a business out of compliance with U.S. laws or regulations or those of other countries, fines and fees could be the least of your worries.

Credit Card Company PCI DSS Fees and Penalties

Card companies can, at their discretion, impose penalties that apply to each data breach, even if you’re compliant at the time of the breach. The amount card companies charge isn’t posted publicly, but it’s safe to assume that fines levied against noncompliant businesses are much higher than for those compliant at the time of a breach.

Here are some penalties imposed by credit card companies:

PCI noncompliance

These fines can be as high as 100,000 USD each month, depending on business size and degree of noncompliance. Even a company complying with PCI DSS can experience a data breach because compliance doesn’t guarantee breaches won’t happen. Compliant companies still receive fines, typically less than those imposed on noncompliant companies.

Customer card reissuance

Each customer involved in a data breach gets a new card from the card company. Card reissuance fees can be 5 USD per card or more. For a small company, it could affect thousands of customer cards. Large corporations’ breaches could affect millions of customers. If customers are personally affected but suffer no loss, credit card companies can impose fines of up to 90 USD for each cardholder affected. Your bank and merchant account provider may terminate the relationship with your business. Losing relationships can negatively impact your business’s reputation, and card customers may even sue your business. Even if you comply with PCI, a breach can cause consumers, banks and credit card companies to lose trust in your business.

Legal fees

Customers and card companies can sue your business if you’re not compliant with PCI DSS. Legal fees for any size business can be detrimental to the life of the business. You might also have to pay for credit monitoring, identity theft insurance, card replacements and other compensation costs if customers saw losses due to the breach. Multiply each item by the number of customers and entities affected by the breach, and you could have steep legal costs.

Forensic audit costs

Credit card companies require forensic audits to discover what caused a breach and how businesses can prevent that breach from happening again. The cost of this mandatory investigation rests on the business, and that cost can promptly cause business closure.

Fraud security

Credit card companies may require you to invest in fraud prevention and security software that might be out of your price range.

If you were compliant and otherwise had security measures in place at the time of a breach, card companies may negotiate with you to lower your fines.

It might seem like this is a lot to impose on a business for a data breach, especially if the company is PCI DSS compliant and a breach is unintentional.

Even unintentional or overlooked processes resulting in a data breach can damage reputations, contribute to lost revenue, lead to audits and potentially put companies out of business.

Best Practices to Avoid PCI Noncompliance Fees

Reaching PCI DSS compliance may seem intimidating, but it’s not as difficult as you might think. For instance, physical retail store owners can assess compliance by completing a self-assessment questionnaire. Ecommerce businesses, on the other hand, must run scans of their network four times per year in addition to the questionnaire.

To reach and maintain PCI DSS compliance, implement these best practices going forward:

• Create or update company security policies.
• Practice information security, keeping customer credit card information separate from other business information.
• Develop role-based access.
• Set alerts to learn when data security could be at risk.
• Run security tests early and often.
• Don’t neglect issues you find during a security test.
• Continuously monitor your networks and look for changes to the system, whether authorized or not.
• Regularly assess current and future potential risks.
• Ensure your staff is adequately trained in security protocols.
• Evaluate third-party services regularly.
• Implement multi-layer security protocols and systems.

In addition to these strategies, the best way to eliminate PCI noncompliance fines is to have a knowledgeable merchant account provider on your side. Your merchant services provider can review your account and tell you what might lead to noncompliance.

Partner With Zenti

If you want to steer clear of noncompliance, choose a merchant account provider that’s PCI compliant. When you partner with Zenti, you’re protected. Contact us to find out how our experience translates into your profits.