The Payment Card Industry (PCI) Security Standards Council offers a brief description of how extensive the consequences from noncompliance with its standards can be in terms of fines levied by banks and credit card companies, and of the consequences of data breaches that might occur even if a company is 100 percent PCI compliant. The council notes that fines incurred from noncompliance with PCI standards can range from $5,000 to $500,000.
The council offers the example of Visa, which uses a time-cost table that levies fines based on the category of the noncompliance (i.e., Level 1 or Level 2) and its duration. For example, Level 1 noncompliance occurring fo three months or less would incur a fine of $10,000 monthly, whereas Level 2 noncompliance for the same period would incure a fine of $5,000 monthly. At the highest level, where Level 1 noncompliance persists for seven months or more, the fines would amount to $100,000 monthly.
The council also lists the possible consequences to a company from a cardholder breach that occurs despite the company’s being 100 percent compliant with the PCI standards. For example, under such circumstances, the company could be subject to a $50 to $90 fine per cardholder data compromise; a compromised reputation among customers, suppliers, and partners; possible civil litigation from customers who experienced the breach; and a loss of customer trust which effects future sales.
