PCI DSS Fines & Penalties Explained

The complexity of achieving and maintaining PCI DSS Compliance cannot be underestimated. PCI-DSS compliance?is the payment card security standard framework that can only be achieved with the right understanding and knowledge of the requirement outlined by the PCI Council. Achieving PCI DSS compliance can be a daunting task unless one gets the right guidance for it. Although not a regulation but an industry rule that can cost a fortune for businesses non-compliant with the requirements.

The consequences of non-compliance to PCI DSS may result in hefty fines and penalties. Not just that it can also result in lawsuits or legal actions, data breaches, financial and reputational loss. In the worst-case scenario, non-compliance can even cost a business its license to process credit cards.

The PCI Compliance framework applies to businesses handling payment cards. So, by this rule, it impacts every business that collects, processes, or transmits cardholder data. Let us today learn a bit in detail the consequences of non-compliance with PCI DSS.

What are the Consequences of Non-compliance to PCI DSS?

PCI DSS is the baseline data security standard for organizations handling and processing cardholder data. It is a guideline that helps a business establish a secure process for handling card data. Although there is no legal obligation for businesses to comply with the requirements yet it is an industry-standard and no payment brand or acquirer will allow you to process card data unless you are PCI DSS certified. Non-compliance to the PCI DSS requirement will involve significant repercussions including fines, penalties, legal actions, data breach, loss of revenue, and even damage to business reputation.

The Payment Card Industry Security Standards Council?(PCI SSC) manages and administers the PCI DSS framework. It is important to note that the fines are not published by the PCI Council. PCI DSS is a requirement and a mandate by contract between merchant and the credit card brands. So, since it is not a law, non-compliance with the requirement results in fines and penalties charged by the credit card brands. This means in case of non-compliance which typically comes to light in an event of a data breach the fines are passed on to the merchants by the banks. Read along to learn how the process of?PCI DSS Fines and penalties?work.

PCI DSS Fines & Penalties by the Payment Brands

When an organization has experienced a data breach, the payment card brand investigates the merchant’s acquiring bank. Acquiring banks are the ones that process credit card transactions for the merchants. The payment brand assesses whether or not the bank has conducted its due diligence to ensure the merchant’s level of PCI DSS Compliance.

Based on the investigation findings and level of monitoring, they fine the bank if the merchant is found to be non-compliant at the time of the breach. This would mean incurring fines and penalties from payment card brands to the banks, which they eventually pass it on to the merchant as fines in the form of the increased transaction fee as or based on the severity of breach even terminate business. The penalties will also typically involve fines related to the breach and payment of damage towards consumers affected.

As per the contract between the merchants and the acquiring banks, if found non-compliant, the merchants will pay the fees and related penalties.?The PCI DSS Fines & Penalties may vary from each payment brand and also significantly vary based on the severity of the breach, non-compliance history, and payment volumes of the merchant. But typically speaking merchants can expect financial penalties from anywhere between the range of $5,000 to $10,000 per month for violating PCI DSS.

Payment Brands conduct forensic investigations to determine penalties for PCI non-compliance. Acquiring banks may at times levy additional fines over and above the imposed fines for your non-compliance by payment brands. However, the general range of penalties for PCI noncompliance may be as follows-

• For the 1-3 months $5,000–$10,000 per month
• For the 4-6 months $25,000–$50,000 per month
• For 7 months or more $50,000–$100,000 per month.

However, these fines will still be less in comparison to the fees for lawsuits, actions by the federal government, credit monitoring fees, compensation fees to customers affected, and other financial penalties related to non-compliance PCI DSS compliant. The compensation fee for customers would range from $ 50 to $ 90 for each customer affected by the breach.

Consequences of Noncompliance with PCI DSS

Hefty Fines & Penalties-?We have already discussed this aspect of noncompliance where merchants will have to bear a huge amount of fines and penalties for non-compliance. The fines imposed will be based on the number of months of noncompliance, client size and volume of transactions, and the credit card companies involved. The month-on-month fines will increase with the increase in the number of months of non-compliance by the merchants.

Data Breach –?Data Breach is the most likely event that occurs due to non-compliance with PCI DSS. Most businesses that suffered a data breach were found to be non-compliant with PCI DSS requirements in some way or the other. With the incident of data, breach businesses suffer a major setback with legal as well as financial implications that come along with it. Not only will the merchants have to bear the fines and penalties from payment card brands but also additional penalties from banks for non-compliance, compensation fees for affected customers, and other legal and forensic audit fees. The merchants may also have to deal with the termination of their credit card processing license if not the data breach is found to be severe. Even if the merchant is found compliant and still suffered a data breach, it will still be responsible for paying penalties, and forensic investigation charges. However, the card brands may lower or eliminate fines if the merchant was found to be PCI DSS compliant

Forensic Investigation –?Non-compliance & Data Breach will also result in a forensic investigation that can be expensive and time-consuming. The merchants will have to present all their documents and evidence to the forensic investigators to investigate the compliance status of the organizations. Thereafter the investigator will determine and verify whether the data breach was a result of non-compliance or other security issues related to control failures. However, the cost of the forensic audit and investigation will be borne by the merchant that suffered the breach. So, this way the financial impact will be significant for the merchants.

Law Suits –?When there is a data breach the merchants are likely to suffer lawsuits if the impact of the data breach is severe. Customers affected by the event of breach may file lawsuits against the organization for establishing poor security measures at the point of sale systems and network infrastructure. So, in addition to compensating the customers for the impact of the breach, the organization will have to even pay the payment card issuers for reissuing credit cards and compensating the end customers for the breach. With this, the overall cost of dealing with such multiple lawsuits and legal counsel will cost the organization a fortune, probably enough to even shut shop their business.

Reputational Damage –?Data Breach and non-compliance can have an irreversible impact on business not just from the monetary standpoint but also reputational standpoint. The damage to the brand’s reputation will be significant as customers’ trust in your brand for security measures to protect their personal information against theft would fail, leaving a bad impression.?Further, regaining the trust of customers, acquiring banks and payment brands will be a huge challenge for the business.

Data breach Cases-

Warner Music Group (WMG) Breach – WMG suffered a three-month-long Magecart attack wherein their customer’s personal and financial information was leaked including payment card details (card number, CVC/CVV, and expiration date).

Adobe Breach ?–?Adobe suffered a severe data breach incident in 2013 October wherein the attacker stole nearly 3 million credit card numbers from Adobe users. This was one of the largest breaches ever filed in the payment card industry.

?Conclusion???????????????????????????????????????????

Clearly, the importance of achieving?PCI DSS Compliance ?is evident. Implementing and establishing a strong security framework will cost far less than the financial implications that come along with noncompliance to PCI DSS. Adopting the industry best practice and consulting the compliance expert to build a robust security framework for payment card security is the best way to avoid PCI DSS fines and penalties that comes as an aftermath of the incident of a data breach.

Original Article Published on: Financederivative