Organisations that violate the PCI DSS (Payment Card Industry Data Security Standard) can often find their problems escalating.
What starts with a simple mistake, such as failing to update a vulnerability in your point-of-sale system or forgetting to keep paper records locked away, can soon result in ongoing financial penalties and other issues.
In this blog, we look at the damage that can be caused by a PCI DSS violation, including the financial penalties and other knock-on effects.
PCI DSS fines
The PCI DSS is a standard rather than a law, and it’s enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.
As a result, the way penalties work differs from many other data protection regulations.
Notably, the Standard doesn’t simply levy a one-off fine for non-compliance. Instead, organisations can be penalised between $5,000 (about €4,300) and $100,000 (about €86,000) a month until they achieve compliance.
Organisations can also face other punitive measures from their acquiring bank. For example, the bank might increase its transaction fees or terminate the relationship with the merchant altogether.
Additionally, the bank could implement stricter compliance requirements for organisations that commit repeated or egregious mistakes.
You can find more advice on how to meet your compliance requirements by reading PCI DSS Audits – Preparing for success.
This free guide helps organisations to prepare for a PCI audit and ensure a successful outcome.
Other consequences of a PCI DSS violation
Unfortunately for organisations that breach the PCI DSS, fines are only the start of their problems.
In many cases, the payment card brand will also seek recompense for operational costs that resulted from the security incident. This includes things such as reissuing payment cards from merchant banks and the recovery of fraudulent payments.
The bank will charge the breached organisation for these costs, with the fees typically being $3 (€2.50) to (€4.30) per affected card.
You should also expect to see your organisation’s reputation take a hit. Customers may be hesitant to use a company that has suffered a data breach, particularly if it was highly publicised.
Even if they aren’t actively discouraged by the incident itself, they may be perturbed by the measures you’ve implemented to mitigate the financial damage. For example, you might increase your prices to recoup losses, which may come with its own reputational damage.
And in extreme scenarios – where organisations suffer either an extended period of non-compliance or repeatedly violate the PCI DSS’s requirements – these negative consequences could result in bankruptcy.
How to demonstrate PCI DSS compliance
Organisations can demonstrate their compliance with the PCI DSS by completing an audit of their CDE (cardholder data environment) against the applicable requirements of the Standard.
The types of audit are:
There are three types of audit:
- An RoC (Report on Compliance), which must be completed by a PCI QSA organisation such as IT Governance, or by an ISA (Internal Security Assessor).
- An SAQ (self-assessment questionnaire) signed off by a company officer. There are nine types of SAQ and it is essential that you choose the correct one.
- An external vulnerability scan conducted by an ASV (Approved Scanning Vendor).
The specifics of your PCI DSS compliance requirements will vary depending on your merchant or service provider level, based on the number of card transactions processed per year.
You can find out exactly what you need to do with our PCI DSS Documentation Toolkit.
This toolkit includes all the template documents you need to ensure complete coverage of your PCI DSS requirements.
All you need do is fill in the sections that are relevant to your organisation.
The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.