Equifax was famously fined $425 million for a 2017 data breach that exposed the personal information of 147 million people, including their credit card numbers. It is one of the most notable PCI violations since the standard came into effect.
While companies are not legally obligated to comply with PCI DSS, these standards are enforced by major payment card brands, including Visa, Mastercard, and American Express.
Consequently, PCI DSS compliance forms part of the contractual agreement between an acquiring bank and the payment card companies it partners with. If merchants or service providers fail to comply or maintain compliance, the acquiring bank is likely to impose any fines on them. Furthermore, acquiring banks may require PCI DSS compliance from any merchants seeking to connect to their services or that could affect the security of cardholder data.
Service providers may also bear responsibility for certain PCI DSS requirements, depending on the services they provide to merchants or organizations that manage cardholder data. For instance, if you operate a colocation center, you would need to ensure the physical security of cardholder data, and your clients would need to confirm that you are meeting the PCI DSS requirements related to those controls.
In addition to potential fines and penalties, non-compliance can lead to less tangible consequences, such as damage to reputation and erosion of customer trust.
Meet with Matt and book a free 15-min call below to
better understand how to implement PCI DSS compliance in your company
Non-compliance with PCI DSS can lead to fines totaling millions of dollars. The specific amount varies based on the payment card company, as well as factors like the size of the business, the number of affected customers, and the duration and severity of the non-compliance.
Itโs important to note that payment card companies do not publicly disclose the fines and penalties associated with PCI DSS violations. However, we can gauge the potential costs of these violations by examining real-world data breaches and their resulting settlements. Below are some notable examples.
In 2013, hackers stole data from up to 40 million credit and debit cards of customers during the holiday season. The breach was traced back to credentials stolen from a third-party vendor. Target ultimately paid $18.5 million to resolve a multi-state investigation and $10 million for a class action lawsuit, in addition to fines totaling $292 million, which included $19 million to Mastercard, $67 million to Visa, and $39.4 million to banks and credit unions.
In 2008, a massive cyberattack against Heartland Payment Systems compromised about 130 million debit and credit cards. The company incurred substantial fines and legal fees, including $60 million to Visa, $41 million to Mastercard, and $26 million in legal fees, resulting in total costs of $140 million.
In 2007, TJX revealed that 46 million credit and debit card accounts were hacked, affecting at least 94 million customers. The company faced fines of $41 million to Visa, $24 million to Mastercard, and $9.75 million in a multi-state settlement, bringing the total cost of the breach to approximately $256 million.
In 2017, Equifax experienced a data breach that exposed personal information of approximately 147 million consumers. As a result, the company agreed to a settlement of up to $700 million to resolve claims related to the breach, including compensation for affected individuals and states.
In 2019, a data breach at Capital One exposed the personal information of over 100 million customers. The company faced a $80 million fine from the Office of the Comptroller of the Currency (OCC) for failing to establish effective risk assessment processes
Yahoo reported that all 3 billion of its user accounts were affected by data breaches from 2013 to 2014. The company faced $350 million in losses during its acquisition by Verizon, as a result of the breaches impacting the dealโs value.
A credit card data breach can lead to significant financial losses for your company, with expenses piling up from incident response and remediation efforts, such as forensic investigations, legal fees, FTC audit costs, cardholder notifications, and customer compensation. Additionally, you may face increased rates from banks and payment processors.
These costs donโt account for the damage to customer loyalty and your brandโs reputation.
Moreover, any breach involving cardholder data automatically escalates your company to PCI compliance level 1, regardless of the number of transactions processed. Achieving level 1 compliance necessitates a comprehensive assessment conducted by a Qualified Security Assessor (QSA).
Payment card companies do not impose fines on merchants directly for non-compliance; instead, they penalize the acquiring banks that handle the merchantsโ credit card transactions. These banks typically pass the fines on to the merchants.
Consequently, merchants may incur additional penalties for PCI non-compliance from their banks. This could include higher transaction fees, stricter audit requirements, or even termination of their banking relationship.
If your merchant license is revoked, you will lose the ability to accept credit card payments altogether.
Costly fines arenโt the only risks when it comes to PCI non-compliance. Here are a few more potential consequences of non-compliance:
Embarking on the PCI compliance journey requires a structured approach. Here are five essential steps to guide your business to successful adherence.
Determine if PCI DSS applies to your business by assessing how you handle cardholder data and transactions.
Educate your team on the importance of PCI compliance and cybersecurity best practices to ensure secure cardholder data handling.
Implement necessary technical and operational safeguards, such as firewalls, encryption, and access controls, to meet PCI DSS standards.
Assign dedicated personnel, tools, and budget to manage PCI compliance, ensuring all requirements are met efficiently.
Regularly audit and test your systems to maintain compliance, addressing any vulnerabilities and staying updated with PCI requirements.
Meet with Matt and book a free 15-min call below to better understand how to implement PCI DSS compliance in your company
Curated by PCIcompliant.org, this page provides publicly-sourced information on everything related to the PCI DSS Directive. Presented in a clear and concise manner for easy consumption.
Disclaimer
The information provided on this website is intended for educational and informational purposes only. The content is not intended to be a substitute for professional advice or any other legal advisory, service, etc. The site’s administrators and contributors make no representations or warranties of the information on the site. Any reliance you place on such information is therefore strictly at your own risk.
Copyright By PCIcompliant.org
