PCI fines for breaches range anywhere between $5,000 and $100,000 per month. These fines will be levied against a non-compliant merchant until such time that they become compliant.
PCI fines are never made available to the general public and are usually passed on to merchant by card processing companies. This is done by increasing transaction fees charged to merchants. There is also the risk of a termination of business relationships.
Besides the fines that will be payable in case of a credit card data breach, each individual person who's credit card and/or personal information was compromised in the breach will need to be notified, in writing, of the breach. Thus, the potential costs of a breach can be far greater that the fines mentioned above.
The potential cost of a breach can be broken down as follows:
- Fines between $5,000 and $200,000 per month per incident while not PCI compliant
- Additional audit requirements
- Potential of a ban for processing card payments being imposed on a business
- Cost of custom notifications about the breach
- Increased staff costs due to the vast amount of work required to become compliant
- Potential loss of business income due to repuational losses
These are estimated amount for fines when they are issued:
- 1 - 3 months of non-compliance:
- $5,000 to $10,000 per month
- 4 - 6 months of non-compliance:
- $25,000 to $50,000 per month
- 7 or more months of non-compliance:
- $50,000 to $100,000 per month
- For each customer affected, additional fines are payable:
- $50 to $90 for each affected person
It is highly advisable to become PCI compliant if you do not currently hold it as the costs of becoming compliant vastly outweighs the costs of not being compliant!