Skip to Content

Five risks for PCI DSS non-compliance

January 4, 2019 Article 2 min read
Scott Petree
Even if you don’t process a lot of credit card transactions, your organization could face severe consequences from PCI DSS non-compliance.
Cyber PCI compliance

Businesses that don’t process a lot of credit cards often wonder why they need to comply with a security standard like the PCI DSS. As in most cases, a little knowledge of “why” can go a long way.

Businesses that don’t process more than 20,000 credit card transactions per year are categorized as level 4 merchants in the Payment Card Industry (PCI) world. Fortunately, level 4 has the lowest amount of compliance requirements, thus requiring the least amount of effort for compliance.

However, according to Payment Card Industry data, this tier of merchants is also the most vulnerable to crime and cyberattacks. According to the PCI Security Standards Council, 71 percent of hackers attack small businesses and merchants with fewer than 100 employees (PCI, 2016). Beyond the risk of a data breach, contracts with an acquirer or payment processor will likely require your organization to be PCI compliant. This is true for every business that accepts even a single credit card for payment.

We’ve seen fines as small as $10 per month and as much as $5,000 per month or more.

Below are five risks you face with PCI DSS non-compliance:

1. Monetary fines

Non-compliance can lead to fines from payment processors. Fines range from $10 per month to $1,000 per month or more. Usually, this is in the payment processor’s statement as a “PCI non-compliance fee.”

2. Forensic audits

Upon a data breach, an organization must provide their compliance documents to a forensic examiner. The examiner will determine if the data breach was a result of non-compliance or other security-related control failures. The cost of the forensic examiner is placed on the entity with the security breach. In the event an organization has no compliance documentation, the examiner is also required to perform an assessment of the entity controls to determine compliance status in addition to the forensic exam of the data breach.

3. Payment brand restrictions

Payment brands can place restrictions on organizations such that no- card processing will be accepted by non-compliant merchants. Brands may also completely terminate service in the event an organization does not obtain compliance.

4. Brand reputation

A data breach will significantly jeopardize brand reputation and customer loyalty. Organizations will be subject to public scrutiny and may lose customer loyalty due to poor controls over credit card information. According to a survey conducted by the National Cyber Security Alliance, of 1,015 small and medium businesses, 60 percent of those breached closed their doors within six months.

5. Reactive compliance

Cost of compliance increases when expanding into new technologies. If you expand into new technologies without considering compliance, often re-engineering or new equipment is required to become compliant versus considering compliance prior to new technology implementations. For example, if re-engineering or new equipment has been implemented, card holder data may be stored in more than one location. This would broaden the scope of the card holder data environment which, in turn will increase costs to ensure compliance.

If you have any questions about becoming PCI DSS compliant, give us a call.

PCI DSS Version 4.0 is here: Are you prepared? Make sure you’re meeting these new security standards. The stakes are high.

Related Thinking

Business professional speaking with advisor.
March 28, 2023

Navigating changes to accounting for loan modifications under ASU 2022-02

Article 5 min read
View of private meeting room.
March 22, 2023

The dozen accounting controls all organizations need

Article 4 min read
March 21, 2023

Turning risk into opportunity: Five questions to ask

Article 8 min read