Skip to Content
Cyber PCI compliance
Article

Five risks for PCI DSS non-compliance

January 4, 2019 / 2 min read

Even if you don’t process a lot of credit card transactions, your organization could face severe consequences from PCI DSS non-compliance.

Businesses that don’t process a lot of credit cards often wonder why they need to comply with a security standard like the PCI DSS. As in most cases, a little knowledge of “why” can go a long way.

Businesses that don’t process more than 20,000 credit card transactions per year are categorized as level 4 merchants in the Payment Card Industry (PCI) world. Fortunately, level 4 has the lowest amount of compliance requirements, thus requiring the least amount of effort for compliance.

However, according to Payment Card Industry data, this tier of merchants is also the most vulnerable to crime and cyberattacks. According to the PCI Security Standards Council, 71 percent of hackers attack small businesses and merchants with fewer than 100 employees (PCI, 2016). Beyond the risk of a data breach, contracts with an acquirer or payment processor will likely require your organization to be PCI compliant. This is true for every business that accepts even a single credit card for payment.


How often are you discussing cybersecurity with your IT leadership team? Learn what you might be missing.    

Below are five risks you face with PCI DSS non-compliance:

1. Monetary fines

Non-compliance can lead to fines from payment processors. Fines range from $10 per month to $1,000 per month or more. Usually, this is in the payment processor’s statement as a “PCI non-compliance fee.”

2. Forensic audits

Upon a data breach, an organization must provide their compliance documents to a forensic examiner. The examiner will determine if the data breach was a result of non-compliance or other security-related control failures. The cost of the forensic examiner is placed on the entity with the security breach. In the event an organization has no compliance documentation, the examiner is also required to perform an assessment of the entity controls to determine compliance status in addition to the forensic exam of the data breach.

3. Payment brand restrictions

Payment brands can place restrictions on organizations such that no- card processing will be accepted by non-compliant merchants. Brands may also completely terminate service in the event an organization does not obtain compliance.

4. Brand reputation

A data breach will significantly jeopardize brand reputation and customer loyalty. Organizations will be subject to public scrutiny and may lose customer loyalty due to poor controls over credit card information. According to a survey conducted by the National Cyber Security Alliance, of 1,015 small and medium businesses, 60 percent of those breached closed their doors within six months.

5. Reactive compliance

Cost of compliance increases when expanding into new technologies. If you expand into new technologies without considering compliance, often re-engineering or new equipment is required to become compliant versus considering compliance prior to new technology implementations. For example, if re-engineering or new equipment has been implemented, card holder data may be stored in more than one location. This would broaden the scope of the card holder data environment which, in turn will increase costs to ensure compliance.

If you have any questions about becoming PCI DSS compliant, give us a call.


PCI DSS Version 4.0 is here: Are you prepared? Make sure you’re meeting these new security standards. The stakes are high.

Related Thinking

Three business professionals having a conversation at a circular table while sitting down
December 20, 2024

Navigating M&A purchase price adjustments: Tips for reducing risk

Article 6 min read
Business professionals in a conference room discussing FFIEC CAT sunset
December 16, 2024

FFIEC CAT sunset: Considerations for choosing a new cybersecurity framework

Article 6 min read
Two business professionals holding a notepad and discussing with one another
December 16, 2024

Value creation: The upside of extended holding periods

Article 5 min read