Being in compliance with PCI requirements is extremely important to your business. It isn’t just something that you can ignore. Not only are you taking a big chance that your business can experience a catastrophic data breach if you are not in compliance, your business will face negative publicity, as well as some very real fines and other consequences if you are found to be out of compliance during your annual PCI-arranged audit. Those fines and consequences could come even outside of the audit period if you have a data breach due to non-compliance, and it compromises the financial and personal data of your customers.
These are the types of fines and consequences your business can be subjected to for PCI non-compliance.
Penalties from Your Payment Processors and Credit Card Companies
Any fines levied will be on your payment processors and/or credit card companies for working with a business that is in non-compliance. These companies will almost certainly pass on the fines to your business to recoup their losses from your negligence.
You can expect financial penalties from anywhere between $5,000 and $10,000 a month from these companies for violations of PCI compliance rules.
On top of the fines that will be passed on to your company, you will also likely lose your relationship with your bank, the credit card companies whose payments you accept, and any other payment processor you use. They won’t want to work with a client who isn’t PCI compliant.
If they keep you on as a client, they will likely raise your transaction fees, which will necessitate you raising your prices to pay for these fees. This could cause you to lose customers, who will want to shop with a merchant with similar products and services and cheaper prices than you can now afford to charge.
While these sorts of penalties may not have much of an impact on a large company that can easily absorb and re-distribute the losses, these things can be catastrophic for small businesses, and can potentially cause them to have to go out of business.
Be Familiar with Your Merchant Account Agreement to Make Sure You Know What Penalties They May Impose
Your merchant agreement with your payment processor will tell you what penalties you will be subject to for PCI non-compliance. If you work with more than one payment processor, be sure to read and become familiar with all of them. Each company may have different penalties they impose on client companies for PCI non-compliance.
The Typical Financial Penalties
While penalties do vary from payment processor to processor, there are some similarities. These are what are considered the typical penalties. While your payment processor may have slightly different penalties than the ones listed here, these are the typical ones you can expect if you haven’t read your merchant agreements and are in PCI non-compliance. These will at least give you a base-line level idea of what to expect if you aren’t in compliance with PCI standards.
Payment processors usually do bank forensic research to determine the fine they will levy for PCI non-compliance. Some of the fines will be standard, while others will be based on your history of compliance and degree or non-compliance at the time of the violation. Some payment processors and banks will also levy fines on top of what they are charged for your non-compliance. These are punitive fines they levy on you for being irresponsible with your PCI compliance duties.
Depending on how long you remain in non-compliance, and how much business your company does with the payment processor, fines for non-compliance may look like this with most payment processors and banks:
| One to Three Months in Non-Compliance | Four to Six Months in Non-Compliance | Seven Months and Upward in Non-Compliance |
|---|---|---|
| $10,000 a month for high-volume clients/$5,000 a month for low-volume clients | $50,000 a month for high-volume clients/$25,000 a month for low-volume clients | $100,000 a month for high-volume clients/$50,000 a month for low-volume clients |
Penalties for Data Breaches Even if You’re in Compliance
Even if your company is in PCI compliance, it isn’t 100 percent protected from data breaches. This is a risk every company takes that does business and financial transactions online. Hackers are getting more sophisticated. Even if you are in perfect PCI compliance, you may still experience a data breach. This will not only bring bad publicity to your company, it will also bring more penalties, even though you protected your company against it. This should give you a high level of incentive to make sure company is as protected as it can possibly be.
If your company has a data breach where cardholder data is compromised, you can expect penalties like these from your payment processors and banks:
- $50 to $90 fines per cardholder whose data was compromised
- Termination of your business relationship with your payment processors and banks
- Bad publicity for your company
- Lawsuits from customers whose data was compromised
- Loss of trust from your customers, who may not want to do business with you again, because they won’t be sure their card data is secure when they buy something from you
What You Can Do to Decrease Your Chances of Being Fined or Having Other Non-Compliance Consequences Imposed on Your Company
The best thing you can do to keep your company as safe from data breaches and the fines and penalties that come with them is to hire a third-party audit company to do quarterly audits of your PCI compliance that are independent of the PCI-mandated audits.
With the PCI-mandated audits, you are only checked once a year for PCI compliance. Things can change in the PCI compliance world between audits that you might not hear about, even through regular channels. You may also get computer glitches that can put you out of compliance without you knowing it.
Get more information on How to Train Employees and Set Policies fo PCI Compliance.
Using an objective third-party auditor like I.S. Partners, LLC to audit your company quarterly ensures you are always in compliance as defined by the most recent standards. If you aren’t in compliance, I.S. Partners, LLC will show you how to get back in compliance. This is the best protection from fines and penalties you can give your company. Give us a call at 215-675-1400 or request a PCI Quote
