Updated April 2026

PCI Non-Compliance Fines and Penalties

The cost of PCI non-compliance far exceeds the cost of compliance. Monthly fines start at $5,000 and escalate to $100,000. After a breach, total costs regularly reach hundreds of millions of dollars. This page provides verified penalty data, real breach case studies, card brand enforcement programmes, and state-level legal penalties.

Non-Compliance Fine Escalation Schedule

Card brands (primarily Visa and Mastercard) impose escalating monthly fines for merchants found to be non-compliant with PCI DSS. These fines are levied against the merchant's acquiring bank, which passes them through to the merchant. The escalation is designed to compel compliance quickly. Fines increase over time and jump dramatically after a data breach.

Period	Fine Amount	Description
Months 1-3	$5,000 - $10,000/month	Initial non-compliance fine levied by card brands against the acquiring bank
Months 4-6	$25,000 - $50,000/month	Escalated fine for continued non-compliance after initial notice
Months 7+	$50,000 - $100,000/month	Maximum recurring fine for persistent non-compliance
Post-breach (non-compliant)	$500,000 - $5,000,000+	One-time fine levied after a data breach when merchant was non-compliant

These figures are industry-standard ranges compiled from public QSA firm guidance, payment industry publications, and card brand programme documentation. Exact amounts depend on the card brand, the severity of non-compliance, the merchant's level, and the acquirer's relationship with the merchant. The card brands do not publicly publish their exact fine schedules.

Card Brand Compliance Programmes

Each major card brand operates its own compliance enforcement programme with different names, structures, and enforcement approaches. While PCI DSS is a single standard, the brands enforce it independently through their respective programmes.

Visa

Cardholder Information Security Program (CISP)

Most aggressive enforcement. Visa sets Level 1 threshold at 6 million transactions and can mandate Level 1 status for any compromised merchant regardless of transaction volume.

Mastercard

Site Data Protection (SDP)

Similar enforcement to Visa. Mastercard may require merchants to use specific QSA firms for assessments after a breach. Fines can reach $100,000/month for continued non-compliance.

American Express

Data Security Operating Policy (DSOP)

Fewer merchant tiers than Visa/MC. AmEx uses three levels based on transaction volume. Generally less aggressive enforcement but can revoke card acceptance privileges.

Discover

Discover Information Security & Compliance (DISC)

Smallest enforcement programme among major brands. Three compliance tiers. Historically less aggressive with fines but can and does revoke acceptance privileges after breaches.

Full Breach Liability Breakdown

A data breach when non-compliant with PCI DSS triggers a cascade of financial liabilities far beyond the card brand fines. These costs compound quickly and can threaten the survival of mid-market businesses. Here is the full list of liability components a breached merchant faces.

Component	Estimated Cost
Fraudulent charge reimbursement Merchant may be liable for all fraudulent charges made with compromised card numbers until the cards are replaced.	Unlimited liability
Card replacement costs The issuing bank must reissue every compromised card. These costs are passed back to the merchant through the acquiring bank.	$3 - $10 per card
PCI Forensic Investigator (PFI) A PFI investigation is mandatory after a confirmed breach to determine scope, cause, and extent of the compromise.	$20,000 - $100,000+
Card brand fines Fines levied by Visa, Mastercard, AmEx, and Discover through the acquiring bank based on severity and compliance status.	$5,000 - $500,000+
State attorney general fines Varies by state. States with specific PCI-related laws impose additional penalties beyond federal requirements.	$100 - $1,000 per record
Breach notification costs Most states require written notification to all affected individuals. Includes printing, postage, call centre setup, and credit monitoring.	$1 - $3 per notification
Class action settlements Consumer and financial institution class action lawsuits are common after major breaches. Settlements often exceed initial fine amounts.	Varies widely ($1M - $100M+)
Business interruption Loss of customer trust, revenue decline, increased processing rates, potential loss of card acceptance privileges.	Unquantifiable

For comprehensive breach cost analysis, see databreachcost.com.

Real Breach Case Studies

These are not hypothetical scenarios. Every case below is a real breach with verified financial impact sourced from SEC filings, court records, and official company disclosures. The total costs include settlements, fines, remediation, and operational expenses.

Target

2013

$292 million ($162 million after insurance)

40 million cards

Attackers gained access through an HVAC vendor's credentials. Led to CEO and CIO resignations. Target spent $200 million upgrading payment systems and $61 million in breach-related settlements.

TJX Companies

2006-2007

$256 million

45.6 million cards

Hackers exploited weak wireless encryption (WEP) at two Marshalls stores to access the corporate network. The breach was not detected for 18 months. Costs included settlements with banks, card brands, and state attorneys general.

Heartland Payment Systems

2008

$200 million+

130 million records

SQL injection attack on the payment processor's web application. Despite being PCI compliant at the time of the breach, Heartland was later found non-compliant. Led to the largest identity theft case in US history at the time.

Home Depot

2014

$179 million

56 million cards

Attackers used stolen vendor credentials and a Microsoft Windows vulnerability. The breach went undetected for five months. Home Depot paid $25 million to financial institutions, $134.5 million for bank and consumer settlements.

CardSystems Solutions

2005

Company went bankrupt

40 million cards

The payment processor stored unencrypted cardholder data in violation of PCI DSS. After the breach was discovered, Visa and American Express revoked CardSystems' ability to process transactions, effectively ending the company.

Wyndham Hotels

2008-2010

$10.6 million FTC settlement

600,000+ cards (three separate breaches)

Three separate breaches over two years due to weak security practices including default passwords, lack of firewalls, and improper storage of card data. The FTC sued Wyndham for deceptive security practices.

State-Level Legal Penalties

While PCI DSS is a contractual standard rather than a law, several US states have incorporated PCI DSS or related data protection requirements into their statutes. In these states, non-compliance creates direct legal liability beyond the card brand fine system.

State	Law Reference	Impact
Minnesota	Minnesota Statutes 325E.64	Prohibits storing magnetic stripe data, CVV, or PIN data after a transaction is authorised. Merchants who store prohibited data are liable for costs incurred by financial institutions in a breach.
Nevada	Nevada SB 227 (NRS 603A)	Requires businesses that accept payment cards to comply with PCI DSS. One of the first states to codify PCI DSS compliance into law, making non-compliance a potential legal violation.
Washington	Washington HB 1149 (RCW 19.255.020)	Holds merchants liable for financial institutions' costs (card reissuance, fraud losses) if the merchant was not PCI DSS compliant at the time of a data breach.
Massachusetts	201 CMR 17.00	Requires encryption of personal information (including card data) on portable devices and during wireless transmission. Aligns closely with PCI DSS requirements 3 and 4.

Beyond these specific PCI-related statutes, all 50 US states plus the District of Columbia have data breach notification laws that impose additional obligations and potential penalties when card data is compromised. State attorneys general increasingly pursue enforcement actions against breached merchants, especially those found to be non-compliant at the time of the breach.

The ROI of Compliance: Cost Comparison

The financial argument for PCI compliance is not subtle. For every merchant level, the annual cost of maintaining compliance is a fraction of the potential monthly non-compliance fines, before considering breach liability at all.

Annual Compliance Cost

Level 4$1,000 - $10,000

Level 3$5,000 - $25,000

Level 2$30,000 - $150,000

Level 1$50,000 - $500,000+

Non-Compliance Cost

Month 1 fine$5,000 - $10,000

Month 7+ fine$50,000 - $100,000

Post-breach fine$500K - $5M+

Avg breach total$100M+

Level 4 compliance costs $1,000 to $10,000 per year. A single month of non-compliance fines can reach $5,000 to $10,000. One year of fines costs more than a decade of compliance. The financial case is unambiguous.

Frequently Asked Questions

What are the fines for PCI non-compliance?

PCI non-compliance fines start at $5,000 to $10,000 per month and escalate to $50,000 to $100,000 per month for continued violations. After a data breach, non-compliant merchants face one-time fines of $500,000 to $5,000,000 or more from the card brands, plus card replacement costs, forensic investigation fees, and potential lawsuits.

Is PCI compliance required by law?

PCI DSS is not a federal law. It is a contractual requirement enforced by the card brands (Visa, Mastercard, American Express, Discover) through acquiring banks. However, several states including Minnesota, Nevada, and Washington have incorporated PCI DSS into data breach liability laws. Non-compliance creates legal liability even where PCI DSS is not explicitly a statute.

Who actually pays PCI non-compliance fines?

Card brands (Visa, Mastercard) fine the acquiring bank, not the merchant directly. The acquiring bank then passes these fines through to the merchant via the merchant agreement. In practice, the merchant ultimately bears the full cost. The fine amounts are determined by the card brand based on the severity and duration of non-compliance.

What happens to a business after a PCI data breach?

After a breach, the merchant faces: mandatory PCI Forensic Investigator engagement ($20,000 to $100,000+), card brand fines ($500K to $5M+), card reissuance costs ($3 to $10 per card), breach notification ($1 to $3 per affected individual), potential class action lawsuits, increased processing rates, and possible loss of card acceptance privileges. Total costs often reach tens of millions.

Can a business lose the ability to accept credit cards?

Yes. In extreme cases of non-compliance or after a severe breach, card brands can revoke a merchant's ability to accept their cards. This effectively shuts down card payment processing. CardSystems Solutions went bankrupt after Visa and American Express revoked their processing privileges following a 40-million card breach in 2005.

Calculate Compliance Cost Cost by Merchant Level 12 Requirements Explained