PCI DSS compliance is a complex issue that every business handling cardholder data needs to have a solid understanding of. If you’re in breach of regulations, your business could be facing significant PCI compliance penalties that can have a major effect on cash flow and the overall financial health of your company. So, what are the PCI fines and penalties and how can you stay ahead of the game? Read on to find out everything you need to know about your PCI compliance journey.
What are the PCI/DSS regulations?
Put simply, PCI DSS (which stands for Payment Card Industry Data Security Standards) are a set of standards issued by the world’s major credit card companies, including American Express, Mastercard, and Visa. They are intended to protect cardholder information, ensuring that it’s transmitted, stored, and handled securely. For a little more information, you can see a full list of PCI DSS requirements here, provided by the PCI Security Standards Council.
Does PCI DSS apply to my company?
If your business handles card payments or financial information, then you are subject to PCI DSS. What exactly does this mean? In short, if financial information is entered, stored, or passes through your site in any capacity, you need to ensure that you’re compliant with PCI DSS. It’s also worth remembering that the exact assessment requirements your business needs to adhere to are determined by how large your business is:
Level 1 – Over 6 million transactions per year
Level 2 – 1-6 million transactions per year
Level 3 – 20,000-1 million transactions per year
Level 4 – Fewer than 20,000 transactions per year
PCI DSS fines and penalties from payment providers
Organisations found to be in breach of PCI DSS could be fined $5,000 to $100,000 per month (roughly £4,000 to £80,000 in GBP) by payment providers, according to the PCI Compliance Guide. In addition, the bank may impose other penalties, such as increasing transaction fees or even terminating the relationship altogether. Furthermore, additional fines may be levied for repeat violations, rising over time.
PCI compliance violation fines from governments
While penalties are not openly discussed, they can have serious, long-term effects on small to medium size businesses. But it’s important to remember that fines from payment providers are not the only type of penalty that you need to worry about when it comes to PCI DSS noncompliance penalties. You should also consider the potential impact of laws and regulations such as GDPR.
For example, the GDPR has strict reporting standards for a data breach and may impose significant penalties. The most severe violations may incur a fine of up to €20 million, or 4% of the annual worldwide revenue, whichever is greater. As large fines have already been levied against companies like British Air (£183.39 million), it’s a good idea to take the threat of GDPR penalties seriously.
Other PCI DSS noncompliance penalties
PCI compliance penalties don’t just come in the form of fines. There are a broad range of consequences associated with breaching the regulations, including a suspension of your ability to accept credit cards, liability for fraud charges, credit card replacement costs, and mandatory forensic examination. This can drain your finances and make it increasingly difficult to conduct business effectively, which is why a PCI compliance breach can be catastrophic for a business without significant cash reserves.
How to avoid PCI fines and penalties?
The best way to avoid PCI compliance violation fines is to ensure that your business is following every item on the PCI DSS checklist. Alternatively, you could use a trusted payments provider like GoCardless. With GoCardless, your site will never touch your cardholder’s financial data, which means that you won’t need to worry about PCI compliance penalties at any stage of the transaction.
We can help
GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.