PCI-DSS v3.2: What's the Cost of Non-Compliance?

3 minute read

Does your business store, process, or transmit any payment card information? Then you need to be compliant with the latest version of PCI DSS! We’ve already had a look at how to make sure you are compliant— in this article we’ll take a look at the effects of being non-compliant. These can involve hefty fines month after month, legal fees, and very unhappy customers: all things your business wants to avoid!

What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines decided on by the major credit card companies. These guidelines are intended to guarantee the security of all private data that is stored and transferred when merchants process credit card information. They are regularly refined and updated to reflect the latest potential security breaches: the latest version is v3.2.

PCI DSS was set up to minimise the result of any potential data security breaches, in order to minimise the level of risk that credit companies and consumers exposed themselves to with each transaction. As a result, any sign that you are non-compliant is bad news for your organisation, whether or not any data has yet been compromised. The costs of non-compliance can include:

  • a range of fines ranging from tens to hundreds of thousands of pounds
  • insurance claims
  • cancelled merchant accounts
  • ruined customer relationships

Although the ultimate cost of PCI DSS is an insecure business network, as we’ll see, whether or not a security breach has yet happened, that is just the tip of the iceberg.

Find out more about how you can ensure your business is PCI DSS compliant by contacting the experts at Immervox today.

How are businesses fined under PCI-DSS?

No matter if you have outsourced your PCI DSS compliance to another company, you are always ultimately responsible for the security of the data you process. Even if a company claims to have given your business complete PCI DSS compliance, if it turns out your system is non-compliant in any area, all legal culpability falls on you.

Fines for PCI DSS non-compliance are entirely at the discretion of your acquiring bank. If you are suspected by them to have compromised data security by not complying with PCI DSS, whether or not there has yet been a breach, you are liable to pay a fine. These fines are not standardised by the PCI DSS, who only establish security guidelines.

Every acquiring bank has their own arrangements for punishing non-compliance, but as a general rule there are 2 kinds of fine:

  1. Non-compliance fines: If your bank’s deadline for PCI DSS compliance has passed, and you are found to still not be up to standard, you are liable to pay a non-compliance. This could be tens or hundreds of pounds, to be paid every month you are still not compliant, perhaps increasing as time goes on.
  2. Data compromise fines: If your company suffers a data security breach and you are found to not have been PCI DSS compliant, the fines can be major. They tend to be based around a fixed fine of about £15,000, with the cost of remuneration and the cost of a full forensic investigation, which can be hundreds of thousands of pounds, charged on top.

Whether or not your company suffers a security breach, PCI-DSS non-compliance can cause financial headache.

But there's more...

Because legal culpability for PCI-DSS compliance falls entirely on the Merchant, the costs of non-compliance can snowball as potential lawsuits from customers and businesses affected by your oversights combine with fines from acquiring banks. It is not uncommon for an acquiring bank to close your account following PCI-DSS non-compliance, effectively putting you out of business as you are unable to process payments, and the damage to your business’ reputation and your customers’ confidence can be hard to come back from. By ensuring PCI-DSS compliance you avoid all these additional punishments in the event of a security breach and gain:

  • the ability to demonstrate that you have shown all due diligence to any authority you might deal with.
  • the secure knowledge that all the data you and your network process is authenticated and maintained with confidentiality and integrity: good news for your customers, your workers, and your bank.
  • a “Safe Harbour” from many legal fees and fines in the event of data breach: if you are PCI-DSS compliant are the time of a breach, insurers should pay remonstration fees, and no fines or additional charges will be inflicted on your business.

As the nature of modern business communications change to include new digital technologies, such as Unified Communications and cloud-based storage, it can feel that knowledge of your own PCI-DSS compliance is drifting out of your hands.

Speak to the experts at Immervox to make sure that your business is fully PCI DSS compliant by getting in touch today.

5 June 2019


Data security is an important part of running a business in the twenty-first century. With laws such as GDPR, and other data compliance laws across the world, ensuring your data is secure and...

Read more
14 May 2019


The benefits of unified communications are well documented. By integrating voice, mobile, data and cloud communication channels into one unified system, businesses can communicate and...

Read more
8 May 2019


Most businesses (89%) anticipate their IT budgets will grow or stay the same in 2019. The need to update outdated IT infrastructure is the biggest reason for this. There are so many factors that...

Read more