PCI Non-Compliance Penalties & Fines
Card brands don't publish a single official fine schedule — fines are applied by acquiring banks and vary by card brand, merchant tier, and duration of non-compliance. Here's what the industry data shows.
Fine Schedule
| Duration of Non-Compliance | Monthly Fine Range | Trigger |
|---|---|---|
| First 1–3 months | $5,000–$10,000/month | Initial non-compliance finding by acquiring bank |
| 4–6 months | $25,000–$50,000/month | Continued non-compliance; escalating fines |
| 7+ months | $50,000–$100,000/month | Persistent non-compliance; potential termination of card acceptance |
| Post-breach (non-compliant) | $500,000–$5,000,000+ | One-time fine if a data breach occurs while non-compliant; plus full fraud liability |
Note: Fines are levied by Visa/Mastercard against your acquiring bank, who typically passes them through to you. American Express and Discover have their own compliance programmes with similar fine structures.
What “Full Breach Liability” Means
When a non-compliant merchant suffers a data breach, the card brands can shift the full cost of fraudulent transactions back to the merchant. This goes far beyond the monthly fines:
Fraudulent charge reimbursement
If non-compliant at time of breach, merchant bears full cost of all fraudulent transactions traced to the breach
Card replacement costs
$3–$10 per card replaced; for large breaches this alone runs into millions
Forensic investigation (PFI)
Mandatory PCI Forensic Investigator audit: $20k–$100k+ depending on scope
Card brand fines (Visa/MC)
$5k–$100k/month ongoing; $500k–$5M one-time post-breach fine
State attorney general fines
$100–$1,000 per record exposed depending on state breach notification laws
Class action litigation
Consumer and bank class actions: settlement costs often exceed the card brand fines
PR and notification costs
Breach notification to affected customers: $1–$3 per notification; ongoing PR management
Business interruption
Revenue lost during card-processing suspension or reduced consumer trust
Real-World Examples
What happens when card brands and regulators move against non-compliant merchants.
CardSystems Solutions
2005
40 million card numbers exposed. CardSystems was storing full magnetic stripe data in violation of PCI rules — which didn't exist yet in final form, but the breach illustrated exactly why PCI DSS was created.
Outcome: Went bankrupt. Visa and Mastercard terminated their ability to process cards. First major PCI-era breach to cause a processor to cease operations.
Heartland Payment Systems
2008–2009
130 million card records exposed via SQL injection. Heartland was PCI-compliant at the time of the breach — demonstrating that compliance is a floor, not a ceiling. Non-compliant merchants face all the same liability plus additional fines.
Outcome: Settled with Visa ($60M), Mastercard ($41.4M), Amex, and others. CEO Robert Carr became a vocal advocate for end-to-end encryption. Heartland survived but spent years recovering.
TJX Companies (TJ Maxx)
2006–2007
At least 45.6 million card numbers exposed over 18 months. TJX was using weak WEP encryption on in-store Wi-Fi and was non-compliant with PCI standards at the time.
Outcome: Settled with Visa ($41M), state attorneys general, and customers. Required major security overhaul. The incident accelerated PCI DSS adoption globally.
Wyndham Hotels
2008–2010
Three separate breaches exposing over 600,000 card numbers. Non-compliant payment systems at franchised properties. The FTC case set a precedent that applies to all PCI merchants.
Outcome: FTC sued Wyndham for unfair and deceptive practices. Settled for $10.6M plus mandatory security programme. Landmark case establishing FTC authority over data security.
The Core Calculation
A Level 4 small merchant pays $1,000–$5,000/year for PCI compliance. Non-compliance fines start at $5,000/month — that's your entire compliance budget, every month you're non-compliant. And that's before any breach occurs.
The compliance ROI is rarely in question. The question is always execution: do you have the internal resources to get there, or do you need external help?