April 30, 2011 G Jason Schnellbacher

Non-Compliance Fines Range from $5,000 to $500,000 for Cardholder Data Breach

The critical importance of Payment Card Industry Data Security Standard (PCI DSS) compliance is vastly underestimated—but maybe not as understated as the tangible and intangible costs of a data breach.  Can you imagine a $60,000 fine?   

Noncompliance Fines– The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. The following table is an example of a time-cost schedule which Visa uses.

  • Breach Consequences– Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant.
    • $50-$90 fine per cardholder data compromised
    • Suspension of credit card acceptance by a merchant’s credit card account provider
    • Loss of reputation with customers, suppliers, and partners
    • Possible civil litigation from breached customers
    • Loss of customer trust which effects future sales

    Every merchant that accepts payment cards has a Cardholder Data Environment (known as CDE, or the computer software that use or store sensitive card data) is regulated by PCI DSS standards and card association rules.  But did you know it is possible to mitigate and minimize the merchant’s PCI burden?

    PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. 

    For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.  Assessed penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business. 

    PCI DSS compliance includes a long list of requirements and is a significant responsibility for businesses of all sizes. The security requirements cost the largest merchants (Level 1), on average, $2.7 million, according to the analyst firm Gartner Inc. Even small merchants (Level 4) might have to spend several thousand dollars on the initial security assessment and new technology and security measures. What’s more, maintaining PCI compliance is a continuous process that requires constant vigilance and incurs ongoing costs. The penalties for non-compliance can be severe, including the merchant’s loss of the ability to accept credit card payments and being audited and/or fined.

    Threats from amazingly organized thieves that use ever-more-sophisticated techniques to hack into more merchants’ systems to steal sensitive data are on the rise.

    One of the top reasons a merchant is most likely to fail a PCI audit—and a leading factor in data theft—is the failure to adequately protect stored data. VeriSign Global Security Consulting Services, a division of security services vendor VeriSign, has conducted hundreds of PCI assessments in recent years. Of the merchant companies assessed by VeriSign, 79 percent were cited for the failure to protect stored data and thus failed their assessments.

    The challenge for merchants is finding and implementing a solution or set of solutions that adequately protects sensitive cardholder. 

    If you need help with PCI remediation and compliance certifications, Contact Us!

    Interested in reading more?  Check out these FAQs and Myths.

    Source: First Data
    Source: Focus on PCI
    , , ,

    Contact Us




    Business Name