Can you go to jail for PCI non-compliance?

PCI DSS itself is a contractual standard, not a law, so non-compliance alone is not criminal. However, several states (Nevada, Minnesota, Washington, Massachusetts) have codified PCI-related requirements into law. Wilfully misrepresenting compliance status during an investigation can also trigger fraud charges.

Who enforces PCI compliance?

Enforcement runs through a chain. The PCI Security Standards Council writes the standard. Card brands (Visa, Mastercard, AmEx, Discover) enforce it through their respective programmes. Acquiring banks are contractually required to monitor and report on merchant compliance. The FTC has also taken enforcement action under unfair-and-deceptive-practices law (the Wyndham case).

What happens if a merchant fails PCI compliance?

Three things in sequence. First, monthly fines start accruing through your acquirer. Second, the acquirer may increase your processing rates or impose reserve requirements. Third, in extreme cases the card brands can revoke your acceptance privileges entirely, which has happened to merchants like CardSystems Solutions after major breaches.

How long do you have to become PCI compliant?

Compliance is annual. New merchants are typically given 30 to 90 days to complete their first SAQ. Late renewals trigger the processor non-compliance fee within one to two billing cycles, and card brand fines escalate as listed in the schedule above. There is no grace period after a breach.

Penalties

PCI non-compliance penalties: fine schedule, breach liability, real cases

Non-compliance is not a single fine. It is a chain that runs from the card brand down to the merchant, and another chain that activates the moment a breach is confirmed. Both are documented here.

Updated April 2026

Fine escalation

What you pay each month you are not compliant

Card brand fines are levied on the acquirer and almost always passed through to the merchant. They escalate the longer you stay non-compliant.

Period	Fine range
Month 1-3	$5,000 - $10,000 / month
Month 4-6	$25,000 - $50,000 / month
Month 7+	$50,000 - $100,000 / month
Post-breach (one-off)	$500,000 - $5,000,000+

Card brand programmes

Each card brand runs its own enforcement programme with subtly different thresholds and tactics. Visa and Mastercard are the most aggressive.

Brand	Programme	Approach
Visa	Cardholder Information Security Program (CISP)	Most aggressive enforcement. Visa sets Level 1 threshold at 6 million transactions and can mandate Level 1 status for any compromised merchant regardless of transaction volume.
Mastercard	Site Data Protection (SDP)	Similar enforcement to Visa. Mastercard may require merchants to use specific QSA firms for assessments after a breach. Fines can reach $100,000/month for continued non-compliance.
American Express	Data Security Operating Policy (DSOP)	Fewer merchant tiers than Visa/MC. AmEx uses three levels based on transaction volume. Generally less aggressive enforcement but can revoke card acceptance privileges.
Discover	Discover Information Security & Compliance (DISC)	Smallest enforcement programme among major brands. Three compliance tiers. Historically less aggressive with fines but can and does revoke acceptance privileges after breaches.

Breach liability components

Card brand fines are usually the smallest line on the post-breach invoice. The biggest costs come from forensic investigation, fraud reimbursement, and class action settlements.

Fraudulent charge reimbursement

Unlimited liability

Merchant may be liable for all fraudulent charges made with compromised card numbers until the cards are replaced.

Card replacement costs

$3 - $10 per card

The issuing bank must reissue every compromised card. These costs are passed back to the merchant through the acquiring bank.

PCI Forensic Investigator (PFI)

$20,000 - $100,000+

A PFI investigation is mandatory after a confirmed breach to determine scope, cause, and extent of the compromise.

Card brand fines

$5,000 - $500,000+

Fines levied by Visa, Mastercard, AmEx, and Discover through the acquiring bank based on severity and compliance status.

State attorney general fines

$100 - $1,000 per record

Varies by state. States with specific PCI-related laws impose additional penalties beyond federal requirements.

Breach notification costs

$1 - $3 per notification

Most states require written notification to all affected individuals. Includes printing, postage, call centre setup, and credit monitoring.

Class action settlements

Varies widely ($1M - $100M+)

Consumer and financial institution class action lawsuits are common after major breaches. Settlements often exceed initial fine amounts.

Business interruption

Unquantifiable

Loss of customer trust, revenue decline, increased processing rates, potential loss of card acceptance privileges.

Real-world case studies

The headline figures below combine fines, fraud reimbursement, settlements, and remediation. They are the cost of being non-compliant or compliant only on paper at the moment of breach.

Target

2013

$292 million ($162 million after insurance)

40 million cards compromised

Attackers gained access through an HVAC vendor's credentials. Led to CEO and CIO resignations. Target spent $200 million upgrading payment systems and $61 million in breach-related settlements.

TJX Companies

2006-2007

$256 million

45.6 million cards compromised

Hackers exploited weak wireless encryption (WEP) at two Marshalls stores to access the corporate network. The breach was not detected for 18 months. Costs included settlements with banks, card brands, and state attorneys general.

Heartland Payment Systems

2008

$200 million+

130 million records compromised

SQL injection attack on the payment processor's web application. Despite being PCI compliant at the time of the breach, Heartland was later found non-compliant. Led to the largest identity theft case in US history at the time.

Home Depot

2014

$179 million

56 million cards compromised

Attackers used stolen vendor credentials and a Microsoft Windows vulnerability. The breach went undetected for five months. Home Depot paid $25 million to financial institutions, $134.5 million for bank and consumer settlements.

CardSystems Solutions

2005

Company went bankrupt

40 million cards compromised

The payment processor stored unencrypted cardholder data in violation of PCI DSS. After the breach was discovered, Visa and American Express revoked CardSystems' ability to process transactions, effectively ending the company.

Wyndham Hotels

2008-2010

$10.6 million FTC settlement

600,000+ cards (three separate breaches) compromised

Three separate breaches over two years due to weak security practices including default passwords, lack of firewalls, and improper storage of card data. The FTC sued Wyndham for deceptive security practices.

Want a written assessment of your exposure?

The PCI Forensic Investigator (PFI) directory is the official starting point. PFI engagement fees vary by scope and incident severity, and most engagements run between $20,000 and $100,000.

View the PFI directory →

Frequently asked

Card brands fine acquiring banks $5,000 to $10,000 per month for the first three months of non-compliance, $25,000 to $50,000 for months four to six, and $50,000 to $100,000 from month seven onwards. Acquirers pass these fines through to the merchant. Post-breach one-off fines start at $500,000 and have reached $5 million.

The fee on your statement

Why the processor charge is not a card brand fine.

Data breach cost reference

Full breach economics across industries.

Cost by merchant level

What compliance actually costs to avoid this.