Risks and Consequences for PCI DSS

If you are a Chief Financial Officer (CFO) or a comptroller, you are probably asking the question:“Why would I need to spend the money on PCI?” Good question— there are fines! Unfortunately, the fine schedules are not well defined.Your company’s contract with the acquiring bank probably has a clause in it that any fines from the card brand will be “passed through” to you.With all compliance deadlines passed, the fines could start tomorrow. Visa USA has announced that it will start fining acquirers (which will pass on the costs to the merchant) between $5,000 and $25,000 per month if their Level 1 merchants have not demonstrated compliance by September 30, 2007, and Level 2 merchants have not demonstrated compliance by December 31, 2007. In addition, the fines of $10,000 per month may already be assessed today for prohibited data storage by Level 1 or Level 2 merchant

What is certain is that you will be fined up to $500,000 if non-compliant and compromised. Believe it or not, if compromised, this will be the least of your concerns. Civil liabilities will dwarf the fines from the card brands. Some estimates place the cost of compromise at $80 per account. Some companies that have been compromised have been forced to close their doors. According to PCI Co and the Ponemon Institute study, the per capita cost of a data breach has gone up more than 30 percent in the past year.

In addition to fines, after a compromise, assuming you are still in business, the company automatically gets Level 1 status for compliance verification and the audit process gets significantly more expensive. Consider the cost of data forensic services, increased frequency of reporting, and so forth. Not to mention that you will still have to comply with PCI eventually if you want to continue to be able to accept them, or be in the related line of business.
[PCI Compliance, 2007, Bradley]