FitSmallBusiness
Fit Small Business offers unbiased, editorially independent content and reviews. We may earn money from partner links. Learn More.

Retail | Ultimate Guide

PCI Non-compliance Fee: What It Is & How To Avoid It

Published September 8, 2023

Published Sep 8, 2023

Anna Lynn Dizon

REVIEWED BY:
Anna Lynn Dizon

Andrea Herrera

WRITTEN BY:
Andrea Herrera

This article is part of a larger series on Payments.

Table of Contents
  1. 1 Understanding PCI Non-compliance Fees
  2. 2 PCI Compliance Fee vs PCI Non-compliance Fee
  3. 3 Avoiding PCI Non-compliance Fees
  4. 4 What To Do If Non-compliance Is Detected
  5. 5 FAQs
  6. 6 Bottom Line

A PCI non-compliance fee may be charged by merchant services providers or payment processors when a business does not meet minimum security standards when processing card payments. Fees range from $20 every month up to $5,000 or more, depending on the details of non-compliance and security breach, if any.

These security standards—known collectively as the Payment Card Industry Data Security Standard (PCI DSS)—were established to ensure the protection of sensitive payment card information during transactions and prevent data breaches and fraud.

Check out our comprehensive guide on PCI compliance for small businesses for detailed information on the PCI DSS and continue reading to learn more about PCI non-compliance fees and how to avoid them.

Understanding PCI Non-compliance Fees

One of the most immediate and tangible consequences of PCI non-compliance is the possible imposition of fines and penalties. Merchant services providers and payment processors have the authority to charge monthly PCI non-compliance fees on non-compliant businesses, as well as fines and penalties in the event of a security breach. As we covered above, these charges could be as low as $20 a month until your business is in compliance, up to $5,000 or more in the case of a security breach in which you are found to be non-compliant.

These charges can accumulate rapidly and result in substantial financial strain, particularly for smaller businesses that may not have the resources to cover such expenses. Non-compliance fees are intended not only to encourage adherence to PCI standards but also to compensate for the costs associated with investigating and mitigating security breaches.

Although the amount of non-compliance fees differs depending on the degree of non-compliance, there are factors that can affect how much your payment service provider may charge for non-compliance.

  • Merchant agreement: Your merchant account provider may have specific stipulations on the amount of non-compliance fees in the event that non-compliance is detected. Check your merchant agreement for any amounts indicated.
  • Business size: The size of your business or the volume of transactions you process may also affect the amount of your non-compliance fee. The higher the volume of monthly transactions you process, the higher the fee.
  • Number of employees: The number of employees you have affects your business’ vulnerabilities and security risks. This may cause higher non-compliance fees.
  • Physical environment: The location and configuration of your hardware may affect any fines you need to pay. Remote work and the use of own devices in the work environment are also factors to consider, especially if payment processing is done on remote or personal devices of employees.
  • Hardware: Every piece of hardware used needs to be compliant with the PCI DSS.

Examples of Issues That Could Result in a PCI Non-compliance Fee

  • Keeping credit card information of customers without proper encryption, such as saving it in your own business computers or having it on paper in unlocked or unsecured locations
  • Unprotected and insecure storage of customer and employee usernames and passwords
  • Using a point-of-sale (POS) system connected to another system that does not comply with PCI DSS
  • Not updating your network firewall when new versions are released

According to Verizon’s 2022 Payment Security Report, only 43.4% of organizations are achieving 100% PCI DSS compliance.

PCI Compliance Fee vs PCI Non-compliance Fee

There are two types of PCI compliance-related fees you could see on your monthly processing statement. In addition to the PCI non-compliance fee we’ve discussed above, there are also PCI compliance fees.

PCI compliance fees are extra fees charged to merchants by payment processors (on top of credit card processing fees) to adhere to the requirements of the PCI DSS. This fee ranges from $50 to $240 per year or $5 to $20 per month. However, some providers do not charge any extra fees for PCI compliance.

For small businesses, it is better to sign up with a provider that does not charge any PCI compliance or non-compliance fees as these significant costs can hurt your bottom line. Square, for example, is an all-in-one solution that comes with built-in PCI compliance at no extra cost. It does not charge for PCI non-compliance either.

Visit Square

Avoiding PCI Non-compliance Fees

Simply put, not adhering to the PCI DSS will incur PCI non-compliance fees. The best way to avoid those fees is to ensure the security of your customer’s information and safeguard sensitive cardholder data.

PCI DSS is currently in a transition period to move from its previous version, PCI DSS v3.2.1, to the new version, PCI DSS v4.0. Learn what you need to keep your business PCI DSS v4.0 compliant in our PCI compliance guide.

Understanding how to avoid PCI non-compliance fees is essential for businesses that handle credit card transactions. Here are some key strategies you can adopt to prevent PCI non-compliance fees:

Sign Up With a PCI-compliant Payment Processor

When looking for a payment processor, make sure to sign up with one that is PCI-compliant and provides support for full PCI compliance of your business operations. Doing so ensures that the online payment processing aspect of your business is PCI-compliant and you only need to worry about your share of PCI compliance. You can avoid PCI compliance and non-compliance fees by registering with a provider that does not charge these fees.

Implement Strong Security Measures

To strengthen defenses against potential breaches and maintain PCI compliance, adopt a comprehensive set of security measures that safeguard sensitive payment data.

Firewalls and intrusion detection systems form the frontline defense against unauthorized access and cyber threats. Firewalls act as barriers that filter incoming and outgoing network traffic, blocking potential threats and allowing only legitimate communication. Intrusion Detection Systems (IDS) monitor network activities in real time, alerting administrators to any suspicious or anomalous behavior that might indicate a breach attempt.

Creating a secure network setup is like building strong walls around your sensitive payment information. It helps keep out hackers and stops them from stealing important data. Imagine your home having separate rooms for different things—a living room, a kitchen, and bedrooms. This way, if one room has a problem, it doesn’t affect the other areas.

Similarly, in your business, you can set up special areas for payment data. For example, you might establish separate network segments for point-of-sale systems, employee workstations, and guest Wi-Fi. This way, even if a breach occurs in one segment, the others remain protected.

Additionally, implementing virtual local area networks (VLANs) can provide an added layer of security by segregating network traffic based on logical divisions, such as departments or user roles.

Ensure Proper Data Encryption

Data encryption keeps important information safe from prying eyes. When you send or store data, encryption turns it into a secret code that only the right people can understand. Encryption is crucial for keeping sensitive payment details hidden from hackers.

There are two ways data encryption should be implemented: at rest, when it is on a computer or server, and in transit, when it is being sent from your device to a website. Use cryptographic protocols like secure sockets layer (SSL) and transport layer security (TLS) to secure online communication and data transmission over the internet. They provide a secure way to transmit sensitive information, such as credit card numbers, passwords, and personal details, between a user’s web browser and a website’s server.

Establish Robust Access Controls

Controlling who can access sensitive information is crucial for keeping data safe. This is where robust access controls come into play. Implementing strategies like role-based access and multi-factor authentication can ensure that the right people have the right level of access, reducing the risk of unauthorized use or exposure of sensitive data.

Role-based access control is a method where users are given access to specific parts of a system or data based on their job roles. This ensures that your employees can only access the information that’s relevant to their work responsibilities. For instance, an inventory manager might have access to inventory records, while a salesperson might only have access to customer data.

MFA adds an extra layer of security to the login process. It requires users to provide more than just a password to access a system or application. This could involve providing a password, a unique code sent to their phone, or a fingerprint scan. MFA helps prevent unauthorized access even if someone knows a user’s password. For instance, when you receive a code on your phone after entering your password, that’s an example of MFA in action.

Perform Regular System Updates and Maintenance

Regular system updates and maintenance play a crucial role in maintaining the integrity of your technology infrastructure. Applying patches and keeping anti-virus software current should be a part of your defenses against evolving cyber threats and vulnerabilities.

Patch management is the proactive practice of applying software updates, or “patches,” to computer systems, software applications, and operating systems. These updates are released by software vendors to fix security vulnerabilities and bugs. Promptly install patches as they become available to immediately close potential entry points that hackers might exploit to gain unauthorized access or compromise data.

Anti-virus software is designed to identify, prevent, and remove malicious software, such as viruses, worms, and Trojans. Keeping this software up to date is essential, as cyber threats continually evolve. Regular updates ensure that the software recognizes the latest threats and can effectively defend against them. Anti-virus software adds a critical layer of protection to your business’s digital environment, which reduces the risk of infections that could lead to data breaches or system compromises.

Ongoing Employee Training and Awareness

Empowering your employees with the knowledge to identify and address potential security risks is fundamental. According to the 2023 Data Breach Investigations Report, 74% of all breaches involve the human element through error, privilege misuse, use of stolen credentials, or social engineering.

It is important to cultivate a security-conscious business culture by conducting ongoing training and awareness initiatives.

Educating employees about the significance of security practices creates a sense of responsibility in safeguarding sensitive data. This includes understanding the importance of strong passwords, logging out of systems when not in use, and being cautious when sharing information.

Phishing attempts involve deceptive emails or messages designed to trick recipients into revealing sensitive information or clicking on malicious links. Training employees to recognize phishing indicators, such as unfamiliar senders or suspicious requests for personal data, is crucial. Equip your employees with the skills to discern and report phishing attempts to thwart potential cyber threats before they cause harm.

For more best practices on keeping your website and customer information safe, read our guide on ecommerce payment security.

What To Do If Non-compliance Is Detected

Discovering non-compliance with PCI standards requires swift and strategic action to rectify the situation and minimize potential damages. When your business is found to be non-compliant, your payment services provider may continue to charge non-compliance fees until you are fully compliant. To avoid paying non-compliance fees every month, you need to address it when detected.

Immediate Remediation

Addressing non-compliance issues promptly is essential. Identify the root causes of the non-compliance and take corrective measures to fix the vulnerabilities or gaps. This might involve updating security protocols, installing patches, or enhancing access controls. Swiftly addressing the issues can help reduce the chances of a security breach and mitigate further risks.

Communication With Payment Card Companies

Transparent communication with payment card companies is vital. Promptly inform them about the non-compliance discovery, your remediation efforts, and the steps you’re taking to prevent future occurrences. Working together with payment partners helps maintain trust and can lead to cooperation in resolving the issue.

Cooperation With PCI Security Standards Council

Engaging with the PCI Security Standards Council demonstrates your commitment to rectifying non-compliance. If needed, seek guidance on addressing the issues and achieving compliance. Following their recommendations and guidelines can aid in streamlining the remediation process and ensuring that your security practices align with industry standards.

PCI Non-Compliance Fees Frequently Asked Questions (FAQs)

Merchant account providers or payment processors may charge fees if your business fails to be PCI-compliant. This can start at $20 every month until you are PCI-compliant. In case of a security breach, the fines and penalties vary based on factors like the breach severity and payment agreements. In those cases, fees can range from thousands to tens of thousands of dollars.

After paying PCI non-compliance fees, the immediate financial obligation is settled with the relevant payment processor or merchant services provider. However, paying the fees does not necessarily address the underlying issues that led to the non-compliance in the first place, and most providers will continuously charge a monthly PCI non-compliance fee until your business is PCI-compliant.

The specific amount of PCI non-compliance fees can vary depending on your merchant account provider and on factors like the severity of the non-compliance and the volume of data compromised. There is no fixed fee, and the fees are usually determined on a case-by-case basis.

Bottom Line

Adhering to the PCI DSS is a must for any business that processes card transactions. A PCI non-compliance fee serves as a stern reminder of the importance of upholding these security standards and safeguarding sensitive payment card data. Avoiding non-compliance fees requires a proactive and comprehensive approach that includes partnering with a PCI-compliant processor, implementing strong security measures like firewalls and encryption, establishing robust access controls, and providing ongoing employee training.

About the Author

Andrea Herrera

Find Andrea OnLinkedIn

Andrea Herrera

Andrea is a retail expert writer at Fit Small Business, contributing to the payments section. Before joining Fit Small Business, she was an actuarial specialist and freelance writer. She also has experience helping online businesses with order and payment processing. Andrea has more than 11 years of experience writing online content on various topics ranging from marketing to business.

Sign Up For Our Retail Newsletter!
Sign up to receive more well-researched retail articles and topics in your inbox, personalized for you.
This email address is invalid.
Sign Up For Our Retail Newsletter!
This email address is invalid.