This article is part of a larger series on Payments.
A PCI non-compliance fee may be charged by merchant services providers or payment processors when a business does not meet minimum security standards when processing card payments. Fees range from $20 every month up to $5,000 or more, depending on the details of non-compliance and security breach, if any.
These security standards—known collectively as the Payment Card Industry Data Security Standard (PCI DSS)—were established to ensure the protection of sensitive payment card information during transactions and prevent data breaches and fraud.
Check out our comprehensive guide on PCI compliance for small businesses for detailed information on the PCI DSS and continue reading to learn more about PCI non-compliance fees and how to avoid them.
Understanding PCI Non-compliance Fees
One of the most immediate and tangible consequences of PCI non-compliance is the possible imposition of fines and penalties. Merchant services providers and payment processors have the authority to charge monthly PCI non-compliance fees on non-compliant businesses, as well as fines and penalties in the event of a security breach. As we covered above, these charges could be as low as $20 a month until your business is in compliance, up to $5,000 or more in the case of a security breach in which you are found to be non-compliant.
These charges can accumulate rapidly and result in substantial financial strain, particularly for smaller businesses that may not have the resources to cover such expenses. Non-compliance fees are intended not only to encourage adherence to PCI standards but also to compensate for the costs associated with investigating and mitigating security breaches.
Although the amount of non-compliance fees differs depending on the degree of non-compliance, there are factors that can affect how much your payment service provider may charge for non-compliance.
- Merchant agreement: Your merchant account provider may have specific stipulations on the amount of non-compliance fees in the event that non-compliance is detected. Check your merchant agreement for any amounts indicated.
- Business size: The size of your business or the volume of transactions you process may also affect the amount of your non-compliance fee. The higher the volume of monthly transactions you process, the higher the fee.
- Number of employees: The number of employees you have affects your business’ vulnerabilities and security risks. This may cause higher non-compliance fees.
- Physical environment: The location and configuration of your hardware may affect any fines you need to pay. Remote work and the use of own devices in the work environment are also factors to consider, especially if payment processing is done on remote or personal devices of employees.
- Hardware: Every piece of hardware used needs to be compliant with the PCI DSS.
Examples of Issues That Could Result in a PCI Non-compliance Fee
- Keeping credit card information of customers without proper encryption, such as saving it in your own business computers or having it on paper in unlocked or unsecured locations
- Unprotected and insecure storage of customer and employee usernames and passwords
- Using a point-of-sale (POS) system connected to another system that does not comply with PCI DSS
- Not updating your network firewall when new versions are released
According to Verizon’s 2022 Payment Security Report, only 43.4% of organizations are achieving 100% PCI DSS compliance.
PCI Compliance Fee vs PCI Non-compliance Fee
There are two types of PCI compliance-related fees you could see on your monthly processing statement. In addition to the PCI non-compliance fee we’ve discussed above, there are also PCI compliance fees.
PCI compliance fees are extra fees charged to merchants by payment processors (on top of credit card processing fees) to adhere to the requirements of the PCI DSS. This fee ranges from $50 to $240 per year or $5 to $20 per month. However, some providers do not charge any extra fees for PCI compliance.
For small businesses, it is better to sign up with a provider that does not charge any PCI compliance or non-compliance fees as these significant costs can hurt your bottom line. Square, for example, is an all-in-one solution that comes with built-in PCI compliance at no extra cost. It does not charge for PCI non-compliance either.
Avoiding PCI Non-compliance Fees
Simply put, not adhering to the PCI DSS will incur PCI non-compliance fees. The best way to avoid those fees is to ensure the security of your customer’s information and safeguard sensitive cardholder data.
Understanding how to avoid PCI non-compliance fees is essential for businesses that handle credit card transactions. Here are some key strategies you can adopt to prevent PCI non-compliance fees:
Sign Up With a PCI-compliant Payment Processor
When looking for a payment processor, make sure to sign up with one that is PCI-compliant and provides support for full PCI compliance of your business operations. Doing so ensures that the online payment processing aspect of your business is PCI-compliant and you only need to worry about your share of PCI compliance. You can avoid PCI compliance and non-compliance fees by registering with a provider that does not charge these fees.
Implement Strong Security Measures
To strengthen defenses against potential breaches and maintain PCI compliance, adopt a comprehensive set of security measures that safeguard sensitive payment data.
Ensure Proper Data Encryption
Data encryption keeps important information safe from prying eyes. When you send or store data, encryption turns it into a secret code that only the right people can understand. Encryption is crucial for keeping sensitive payment details hidden from hackers.
There are two ways data encryption should be implemented: at rest, when it is on a computer or server, and in transit, when it is being sent from your device to a website. Use cryptographic protocols like secure sockets layer (SSL) and transport layer security (TLS) to secure online communication and data transmission over the internet. They provide a secure way to transmit sensitive information, such as credit card numbers, passwords, and personal details, between a user’s web browser and a website’s server.
Establish Robust Access Controls
Controlling who can access sensitive information is crucial for keeping data safe. This is where robust access controls come into play. Implementing strategies like role-based access and multi-factor authentication can ensure that the right people have the right level of access, reducing the risk of unauthorized use or exposure of sensitive data.
Perform Regular System Updates and Maintenance
Regular system updates and maintenance play a crucial role in maintaining the integrity of your technology infrastructure. Applying patches and keeping anti-virus software current should be a part of your defenses against evolving cyber threats and vulnerabilities.
Ongoing Employee Training and Awareness
Empowering your employees with the knowledge to identify and address potential security risks is fundamental. According to the 2023 Data Breach Investigations Report, 74% of all breaches involve the human element through error, privilege misuse, use of stolen credentials, or social engineering.
It is important to cultivate a security-conscious business culture by conducting ongoing training and awareness initiatives.
For more best practices on keeping your website and customer information safe, read our guide on ecommerce payment security.
What To Do If Non-compliance Is Detected
Discovering non-compliance with PCI standards requires swift and strategic action to rectify the situation and minimize potential damages. When your business is found to be non-compliant, your payment services provider may continue to charge non-compliance fees until you are fully compliant. To avoid paying non-compliance fees every month, you need to address it when detected.
Addressing non-compliance issues promptly is essential. Identify the root causes of the non-compliance and take corrective measures to fix the vulnerabilities or gaps. This might involve updating security protocols, installing patches, or enhancing access controls. Swiftly addressing the issues can help reduce the chances of a security breach and mitigate further risks.
Communication With Payment Card Companies
Transparent communication with payment card companies is vital. Promptly inform them about the non-compliance discovery, your remediation efforts, and the steps you’re taking to prevent future occurrences. Working together with payment partners helps maintain trust and can lead to cooperation in resolving the issue.
Cooperation With PCI Security Standards Council
Engaging with the PCI Security Standards Council demonstrates your commitment to rectifying non-compliance. If needed, seek guidance on addressing the issues and achieving compliance. Following their recommendations and guidelines can aid in streamlining the remediation process and ensuring that your security practices align with industry standards.
PCI Non-Compliance Fees Frequently Asked Questions (FAQs)
Merchant account providers or payment processors may charge fees if your business fails to be PCI-compliant. This can start at $20 every month until you are PCI-compliant. In case of a security breach, the fines and penalties vary based on factors like the breach severity and payment agreements. In those cases, fees can range from thousands to tens of thousands of dollars.
After paying PCI non-compliance fees, the immediate financial obligation is settled with the relevant payment processor or merchant services provider. However, paying the fees does not necessarily address the underlying issues that led to the non-compliance in the first place, and most providers will continuously charge a monthly PCI non-compliance fee until your business is PCI-compliant.
The specific amount of PCI non-compliance fees can vary depending on your merchant account provider and on factors like the severity of the non-compliance and the volume of data compromised. There is no fixed fee, and the fees are usually determined on a case-by-case basis.
Adhering to the PCI DSS is a must for any business that processes card transactions. A PCI non-compliance fee serves as a stern reminder of the importance of upholding these security standards and safeguarding sensitive payment card data. Avoiding non-compliance fees requires a proactive and comprehensive approach that includes partnering with a PCI-compliant processor, implementing strong security measures like firewalls and encryption, establishing robust access controls, and providing ongoing employee training.