Fines for non compliance with the PCI DSS
MasterCard and Visa can charge fines (which are expressed in US Dollars) for non compliance with the PCI DSS regulations. The fines would be in Sterling equivalents based on the relevant exchange rates.
MasterCard quarterly escalating fines for non compliance are:
Level 1 & 2 Merchants
- First Violation – Assessment Amount: Up to $25,000
- Second Violation – Assessment Amount: Up to $50,000
- Third Violation – Assessment Amount: Up to $100,000
- Fourth Violation – Assessment Amount: Up to $200,000
Level 3 Merchants
- First Violation – Assessment Amount: Up to $10,000
- Second Violation – Assessment Amount: Up to $20,000
- Third Violation – Assessment Amount: Up to $40,000
- Fourth Violation – Assessment Amount: Up to $80,000
Visa expects level 1, 2 and 3 merchants to demonstrate that they are actively engaged in the program to become compliant.
- Level 1 Merchants $25,000/monthly
- Level 2 Merchants $5,000/monthly
In addition, Visa asses fines for Prohibited Data Storage. A newly identified Level 1 or 2 merchant that has not yet validated their PCI compliance must complete an attestation form (PDRA). This form confirms the merchant does not retain prohibited data and must be submitted by March 31st of the calendar year following their identification.
Prohibited Data Storage is the storage of sensitive full magnetic data. Visa assesses escalating fines which are detailed below:
Monthly Prohibited Data Storage Violation Fines
| Months Months 1-3 Months 4-6 Months 7 and up |
Merchant Level 1 $10,000 $50,000 $100,000 |
Merchant Level 2 $5,000 $25,000 $50,000 |
Fines for Merchant Data Compromise
Card Association fines for an account data compromise are:
- Up to $600,000 for non-compliance with PCI DSS requirements
- Issuer Recovery Cost of Fraud Charges that occurred on all exposed cards from the compromised location
- The cost of the forensic investigation
- The cost to replace exposed credit cards
