What is PCI DSS Non-Compliance?

What Counts as Non-Compliance

An organisation is non-compliant with PCI DSS if it fails to meet any of the standard's requirements and has not submitted a valid attestation of compliance (AOC) or completed the appropriate self-assessment questionnaire (SAQ). Non-compliance can range from minor gaps -- such as outdated documentation -- to serious failures like storing unencrypted card data or lacking basic network security controls.

Common causes of non-compliance include:

• Not completing the required annual assessment (SAQ or QSA audit)
• Storing prohibited data such as full magnetic stripe data, CVV codes, or PINs after authorisation
• Failing to maintain firewalls, encryption, or access controls
• Not monitoring or logging access to cardholder data
• Using default or weak passwords on systems that handle card data
• Allowing agents to hear, see, or record card numbers without appropriate security controls

Penalties and Consequences

The card brands (Visa, Mastercard, American Express, and others) impose penalties for non-compliance through the acquiring banks that process a merchant's transactions. These penalties can include:

Financial Penalties

• Monthly fines ranging from $5,000 to $100,000 depending on the severity and duration of non-compliance
• Increased transaction processing fees
• Liability for any fraudulent transactions that result from the security gap
• Costs of forensic investigation if a breach occurs

Operational Consequences

• Mandatory remediation programmes with strict deadlines
• Increased reporting requirements and more frequent audits
• Restrictions on payment processing capabilities
• In extreme cases, termination of the merchant account -- meaning the business can no longer accept card payments

Non-Compliance After a Data Breach

If a data breach occurs and the organisation is found to be non-compliant at the time, the consequences escalate significantly. The business may face card brand fines, the cost of notifying affected cardholders, credit monitoring services for those affected, and potential lawsuits. The reputational damage alone can be devastating.

PCI DSS v4.0 introduced more rigorous requirements around continuous monitoring and evidence of ongoing compliance, making it harder for organisations to treat compliance as a once-a-year exercise.

How to Avoid Non-Compliance

The most effective way to reduce compliance risk is to minimise the amount of card data your organisation handles. Technologies that remove card data from your environment -- such as DTMF masking, tokenisation, and hosted payment pages -- reduce PCI DSS scope and make compliance simpler and less expensive to maintain.