PCI DSS compliance is not something you can be flippant about. The Payment Card Industry Data Security Standard is a high bar, and it’s one that is effectively mandatory for any business that wants to accept credit card payments, no matter how little engagement with the systems you have.
Any security standard is only as good as its enforcement. PCI strictly enforces its standards because it’s a core foundation of the trust people have in credit cards. Without that trust, global commerce would face a serious crisis.
So, if you’re staring down the barrel of a PCI compliance audit, what happens if you fail? We’ve mentioned before that the penalties for noncompliance can be steep and severe, but what does noncompliance mean in this context? Let’s talk about it.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontAny business that accepts credit card payments must meet PCI DSS. Enforcement is strict because card trust is essential. Audits differ by size: small merchants use self-assessment, large or breached firms need external audits. If an audit fails, you get 30 days to fix issues; after that fines rise monthly, breach fees may apply per exposed record, and legal, reputational, and card acceptance loss can follow. Use payment processors to cut scope and risk.
Who Needs to be PCI DSS Compliant?
First, it’s worth looking at who this applies to in the first place. While PCI DSS is one of the most common and widespread data security standards in the world, it can be surprising who it does and doesn’t apply to.
PCI DSS is meant to protect payment card information. If you handle, interact with, gather, or use payment card information at all, you’ll need to comply with PCI DSS standards at some level.
On one hand, this can feel very oppressive. If you’re a small business handling fewer than 100 transactions a month, if even a single one of them uses a credit card, you need to be PCI compliant.
On the other hand, there are a lot of ways to lessen the load. In fact, many of the most common ways to accept credit card payments, such as through a payment processor like Square, will do the vast majority of the work for you.
Two factors make PCI compliance easier than you might expect.
The first is scale. The smaller the business, the lower the requirements. For merchants, this is based entirely on transactions processed each year. Level 4, the lowest level, is anything under 20,000 transactions, which is a bit shy of 55 per day, 365 days per year.
In fact, whether or not you need a full PCI audit can vary, but we’ll get to that in the next section.
The second factor is scope. The larger your scope, the more work you have to do, and the more likely you will be to need a full audit. Many modern merchants use third-party software to handle payments and have very little interaction with payment card information at all. This offloads a huge amount of the PCI compliance work, though you will still have some responsibilities.
Who Needs a PCI DSS Compliance Audit
Before you start worrying too much about the penalties for failing an audit, it’s important to know if you even need an audit in the first place.
PCI audits come in three forms.
- Full External Audits. These apply to Level 1 (and sometimes Level 2) merchants and businesses processing over 6 million transactions per year, as well as payment service providers handling 300,000+ transactions annually. They are deep, detailed, and high-stakes, but once you’ve reached that level of business, you should be used to all of the above.
- Internal Audits. These are handled by a security assessor you hire for your business. This individual will be responsible for performing an unbiased audit of your internal systems and will help you fill out your Self-Assessment Questionnaire (SAQ) and sign off on your security attestation.
- Breach Audits. In the event of a breach, an audit will be conducted as part of the investigation into what happened. This is where the most serious penalties can come from, as they penalize you for noncompliance. Any service provider that has been the victim of a data breach must pass annual full audits, as well.
In some cases, particularly in high-risk businesses or industries, your bank or card processor may add a clause to your contract that requires a full external audit even if you aren’t a Level 1-2 business.
It’s critical to review your contract because that’s where PCI compliance rules come from. PCI DSS is not mandated by law, but is a staple part of every business and merchant contract when payment cards are involved, so it may as well be.
What Goes Into a PCI DSS Compliance Audit?
If your business needs to undergo a PCI DSS compliance audit, whether it’s because of a past breach, a contract clause, or your position as a Level 1 merchant, the process is largely the same.
An internal assessor or an external Qualified Security Assessor will be retained to handle the audit.
For level 4, 3, or 2 businesses, an internal assessor will perform the audit. You will fill out a Self-Assessment Questionnaire and an Attestation of Compliance, and the assessor will sign off on them both. These serve as your legally-binding statement saying you are in compliance; if you then have a breach later, and it’s found that you were attesting something other than reality, penalties are severe.
For level 1 businesses, high-volume processors, those with contract clauses requiring it, or those with past data breaches, an external audit is conducted by a QSA from the PCI QSA list. This list has around 400 QSAs from around the world who can provide these audits.
The process is similar; the assessor will evaluate your security along all of the 12 domains of PCI DSS compliance. They will create a Report of Compliance (instead of the self-assessment, since they aren’t your “self”) and the Attestation of Compliance, and will sign off and submit them.
What Happens if You Fail a PCI DSS Audit?
First, it’s important to define what failure means in the context of PCI DSS.
A failure in an audit does not necessarily mean immediate penalties, nor does it mean a loss of business operations. It can mean both of those things, but if you’re in a situation where it will, it means you’ve experienced a data breach before, or you’ve been willfully and intentionally lying about your compliance and been caught, and in neither case are you likely to be reading a post like this one.
A failure in an audit means that at least one of the 200+ possible controls that could apply to your business is not adequately implemented. This can be anything from a piece of software not being patched to substandard encryption being used to a fully ignored requirement.
Failure in an audit should be considered an opportunity. Penalties are not immediate (except in the case of an extant data breach, of course); instead, you are generally given a timeline to remediate the issue.
For internal audits, an audit failure means a gap in implementation that needs to be fixed before your SAQ and AoC can be submitted and validated. For external audits, it means a more severe failure.
The timeline for remediating most PCI issues is 30 days. The audit finds a gap, they point it out to you, and you are given the opportunity to fix it. If you do fix it, and no customer information was exposed or breach occurred during that time, you’re generally good to go.
Penalties occur if there’s a breach or if you fail to remediate your issue within the timeline. Failing an audit, outside of a breach audit, is not necessarily immediate grounds for fines and other penalties.
What Are the Penalties for PCI DSS Noncompliance?
One thing to mention at this point is that, while the PCI council is the organization that sets the standards, they do not set the penalties. Penalties are set by the payment card processor you work with, so there can be variance between Visa, Mastercard, JCB, or whoever else is involved. Always refer to your specific contract for information that is most relevant to you.
Penalties can be grouped into three categories.
Category 1 Penalties: Noncompliance Fines
The first category of penalty is monetary fines. These are the pressures put on you to fix your systems or suffer the consequences.
The specific fines can depend on the scale of the noncompliance, and will vary depending on your merchant level and on the payment card company you’re working with. They also escalate over time.
For the first three months of noncompliance, fines can be around $5,000 per month for level 3-4 organizations, and $10,000 per month for level 1-2 organizations.
For the next three months, those fines jump by a factor of five. Level 3-4 organizations can face up to $25,000 per month, and higher-level orgs can see $50,000 per month in penalties.
If noncompliance continues past that point, they double again. Smaller orgs face paying $50,000 per month (something that can easily end a small business), while larger orgs start getting into six figures of fines.
All of this is a range. If you’re actively taking steps to solve your issues but those steps are taking longer than expected, good-faith efforts can lower the penalties. First-time noncompliance is also frequently less penalized than repeat offenders who should know better. The amount of adjustment and leeway depends on the payment card company.
Category 2 Penalties: Breach Penalties
The second category of penalties comes from the repercussions of a data breach. A failed audit alone won’t trigger these penalties, but if customer information is exposed, you will face additional fees.
These fees tend to range from around $50 to as much as $90 per customer record exposed. That’s not per customer exposed, but per record exposed; one customer could have numerous records. It might not seem like much at first glance, but when hundreds of thousands or millions of records in a single database are exposed, the cost ramps up very, very quickly.
Category 3 Penalties: Non-Financial Repercussions
The third category is not fixed, because it’s not costs or fines levied by the payment card companies.
Instead, it’s all of the second-tier repercussions of failure to comply with PCI DSS.
- Legal action. Failure to comply opens you up to legal action, including lawsuits, particularly in the event of a data breach. If you work with clients, vendors, or partners who rely on your compliance, you can be sued for breach of contract as well.
- Reputational damage. Companies that fail their audits and especially suffer data breaches can end up less trusted on the open market, and you can lose customers because of it.
- Failed defenses. If you are noncompliant and you try to fight chargebacks, you have a strike against you already, especially for claims of fraud.
- Greater liability. In any instance where there’s a problem with payment processing, and you’re involved, you’re more likely to have more liability and more scrutiny if you’ve failed in compliance before.
- Loss of functionality. If you remain noncompliant or if your violation is large enough, it can result in terminating your contract and your ability to accept credit card payments at all.
In many ways, all of this can add up to be worse than the financial penalties.
How to Ensure You Pass Your PCI Audits
Passing PCI auditing is no joke. With potentially hundreds of security controls you need to implement, you need to pay careful attention to scoping, system architecture, and the software, vendors, and responsibilities involved.
Keeping track of all of this information is a huge task, and it’s very easy for details to slip through the cracks. That’s why we designed the Ignyte Assurance Platform. Our platform is meant to help businesses comply with all manner of security frameworks, from FedRAMP to ISO 27001 to, yes, PCI DSS. By tracking your scope and your systems, following the process of analyzing your security posture and finding the gaps, and tracking all of the implementation, proof, and details, keeping it all in one system is indispensable.
To see how the Platform can work for you, simply reach out. You can book a demo of our tool to see exactly how it can work for PCI compliance with your company. Once you experience the convenience, you’ll understand how much help it can be for passing any kind of security audit.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.