Many PCI DSS (Payment Card Industry Data Security Standard) breaches arise from small assumptions that go unchallenged – for instance a system thought to be out of scope, a payment process assumed to be fully covered by a third party or an SAQ selected because it looked like the closest fit rather than because it actually was.
Individually, none of these feel like significant risks. In combination, however, they create gaps that tend to surface at the worst possible moment, such as during a validation exercise, after a change in your environment or in the wake of a security incident.
This blog post focuses on what’s actually at stake when things like this go wrong.
If you’re not familiar with the PCI DSS and who it applies to, our guide Do You Need to Comply with the PCI DSS? covers the essentials.
How the PCI DSS is enforced
The PCI SSC (Payment Card Industry Security Standards Council) sets and maintains the Standard, but enforcement is contractual rather than regulatory – it flows from the card brands down through acquiring banks to merchants and service providers.
Your acquirer is your primary compliance relationship, but they are themselves accountable to the card brands, which means pressure can come from above as well as from the terms of your own merchant agreement.
This enforcement chain matters because it determines who acts, when they act and what they can do. It also means that consequences aren’t theoretical – they’re built into the commercial relationships that allow you to process card payments in the first place.
Consequences for merchants
The consequences of non-compliance range from financial penalties through to losing the ability to accept card payments altogether.
- Fines
Card brands can levy fines on acquiring banks for compliance violations and acquirers pass those costs to merchants. These can be substantial and are typically applied on a monthly basis until compliance is demonstrated – they’re not a one-off penalty. - Increased transaction fees
Acquirers may also increase the fees charged on card transactions as a consequence of non-compliance, adding a less visible but ongoing financial burden. - Mandatory forensic investigation
Following a confirmed breach, merchants can be required to commission an investigation by a PFI (Payment Forensics Investigator) at their own expense. This is a detailed, independent examination of how the breach occurred and what data was compromised – a process that is both costly and time-consuming. - Restrictions on card processing
In serious cases, the ability to accept card payments can be suspended or revoked entirely. For most businesses, this is the most immediately damaging consequence of all. - Escalation of compliance obligations
A confirmed breach can result in a merchant being moved to Level 1 irrespective of their transaction volume, meaning a full ROC (Report on Compliance) conducted by a QSA (Qualified Security Assessor) is required thereafter, with all the cost and resource that entails. - Reputational damage
If there is any question over how payment data has been handled, the impact on customer trust can be lasting. This is particularly true where a breach has been publicly reported or has affected a significant number of cardholders.
Consequences for service providers
Service providers face the same range of financial and operational consequences as merchants, but with an additional dimension – their non-compliance doesn’t just affect their own business but every merchant that relies on them.
Visa and Mastercard both maintain registries of compliant service providers. Removal from those registries – or failure to appear on them in the first place – effectively signals to the market that a service provider can’t be used safely. The reputational consequences of losing that status can be severe and difficult to recover from.
A PCI DSS breach is also a GDPR breach
A point that catches many organisations off guard is that cardholder data – names, card numbers and expiry dates – is personal data under the GDPR (General Data Protection Regulation), which means any breach involving cardholder data is automatically a GDPR breach as well.
That triggers a separate enforcement regime. In the UK, the ICO (Information Commissioner’s Office) can impose fines of up to £17.5 million or 4% of annual global turnover – whichever is higher – under the UK GDPR.
Mandatory breach notification obligations also apply: organisations are required to report certain types of personal data breach to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of them and may also be required to notify affected individuals depending on the likely risk to those individuals.
Critically, the two regimes operate simultaneously and are enforced independently, so a single incident can result in enforcement action from your acquirer under the PCI DSS and from the ICO under the UK GDPR at the same time.
Indirect and longer-term consequences
Beyond formal enforcement, non-compliance carries a set of practical consequences that are less visible but equally damaging.
- Internal cost and disruption
Remediating a compliance failure is expensive in time and resources, which can significantly disrupt business operations, particularly where timelines are already tight. - Contracts and procurement
Many enterprise contracts and public-sector frameworks now require demonstrable PCI DSS compliance. Without this, your ability to bid for new work or retain existing clients will be affected. - Cyber insurance
Non-compliance can affect both the validity of a cyber insurance policy and the terms on which a claim is settled following a breach. Insurers increasingly treat compliance status as a material factor in underwriting decisions.
The mistakes that lead here
Most of the consequences above are avoidable, and they tend to follow the same handful of failure modes.
- Incorrect scoping is probably the most common. If cardholder data flows haven’t been properly mapped, it’s easy to leave parts of the environment unprotected while believing controls are in place where they matter. That creates a false sense of security that can persist for years before it surfaces.
- Choosing the wrong SAQ is a related problem. Completing a simpler questionnaire that you’re not actually eligible for doesn’t reduce your obligations – it just means the gap hasn’t been identified yet. When it is identified, the consequences are the same as if the SAQ had never been completed. Read our article Choosing the Right PCI DSS SAQ: A Practical Guide for more information.
- Treating compliance as a one-off exercise is the third. Environments change – new systems are introduced, integrations are added, processes evolve. Without ongoing oversight, a compliant environment can drift out of compliance between assessment cycles without anyone noticing until something forces a closer look.
Where to start
If any of this has raised questions about your current position, the time to address them is before something external forces the issue. Read more in our guide Do You Need to Comply with the PCI DSS?, view our PCI DSS compliance and certification solutions, or speak to one of our PCI DSS experts directly.