PCI DSS fines & penalties
Non-compliance isn't free. Monthly fines, higher fees, forensic audits, per-card assessments and breach liability all add up — and they all scale with how much card data you hold. Take it out of scope and the risk shrinks.
The many costs of non-compliance
A single fine is rarely the whole story. These are the costs that stack up when card data isn't properly protected.
Monthly fines
Acquirers and card brands can levy recurring non-compliance fines that escalate the longer you remain non-compliant.
Higher transaction fees
Non-compliant merchants are often moved to higher-risk pricing, raising the cost of every transaction.
Forensic investigation
After a suspected breach, a mandatory PFI forensic audit is at your expense — often a five-figure cost.
Per-card assessments
Card reissuance and fraud-recovery costs are assessed per exposed card and add up fast at scale.
GDPR exposure
A card data breach is also a personal-data breach, bringing potential GDPR penalties on top.
Reputational damage
Loss of customer trust and the ability to accept cards can outlast any single fine.
The same business, very different exposure
Penalties and breach liability scale with how much card data you hold. Remove it from your systems and there is little left to fine.
Card data in scope
You store and handle card numbers
- Exposed to monthly non-compliance fines
- Full breach and forensic liability
- Per-card assessments after an incident
- GDPR exposure on top
- Heavy SAQ D programme to maintain
Card data out of scope
Cards live in the vault, not your systems
- Little card data to fine or breach
- Breach exposure transferred to the vault
- Most merchants drop to SAQ A
- Supports GDPR data minimization
- Far less to maintain and evidence
See the full cost of PCI DSS compliance and how tokenization lowers it.
Related reading
Understand the costs, the questionnaires and the way to reduce both.
PCI DSS cost
The real cost of compliance and what drives it.
SAQ A vs SAQ D
Which questionnaire applies and what each demands.
PCI compliance ROI
Build the business case with real savings figures.
Reduce PCI scope
How tokenization takes card data out of your environment.
PCI DSS compliance
What PCI DSS requires and how we help you meet it.
Security & certifications
How card data is protected inside our vault.
PCI DSS fines, answered
01 How much are PCI DSS fines?
There is no single published figure. Acquirers and card brands can levy monthly non-compliance fines that typically range from a few thousand to tens of thousands, escalating the longer you remain non-compliant. After a breach, penalties, per-card assessments and forensic costs can run far higher.
02 Who issues PCI DSS penalties?
Fines flow through the payment chain: the card brands assess your acquiring bank, which passes the cost on to you. They are contractual rather than statutory, but they are real and can include higher transaction fees or loss of card acceptance.
03 What does a card data breach cost beyond fines?
Beyond direct fines, a breach can bring mandatory forensic investigation, per-card reissuance and fraud-recovery assessments, remediation, legal costs, GDPR exposure and lasting reputational damage. The total dwarfs the cost of staying compliant.
04 How does tokenization reduce the risk of fines?
If card data never touches your systems, there is little to fine, breach or assess. Tokenization moves card data into an external PCI DSS Level 1 vault, cutting most merchants to SAQ A and shrinking both your compliance burden and your exposure to penalties.
Don't pay for card data you don't need to hold
See how moving card data into our certified vault drops you to SAQ A and cuts your exposure to fines and breaches.