When businesses talk about PCI DSS non-compliance, the conversation often jumps straight to fines. But the fines are just the beginning. The real story is what happens in the weeks and months after a breach is discovered — the forensic investigations, the card scheme penalties, the mandatory audits, and sometimes the loss of the right to process card payments at all.
This article walks through what non-compliance actually costs, drawing on real enforcement cases and the mechanics of how PCI penalties work in practice.
Key takeaways
- PCI DSS fines don't come from a government regulator — Visa and Mastercard levy them through your acquiring bank, typically £5,000–£100,000 per month.
- British Airways was fined £20 million for a 2018 breach; Marriott £18.4 million for a breach running undetected since 2014.
- Non-compliance consequences go beyond fines: forensic investigations, mandatory audits, card scheme penalties, and potential loss of card processing rights.
- A data breach triggers additional penalties: card replacement costs, fraud reimbursement liability, and increased transaction fees.
- Descoping — removing card data from your environment entirely — is cheaper and more reliable than remediating a large compliance estate.
The British Airways and Marriott Cases: What Non-Compliance Actually Looks Like
Two enforcement cases from recent years put the scale of the problem in sharp relief.
British Airways suffered a data breach in 2018 that exposed the personal and financial details of approximately 430,000 customers. A malicious script had been injected onto the BA website, scraping payment details in real time as customers entered them. The ICO eventually fined British Airways £20 million — reduced from an initial notice of £183 million due to the economic impact of COVID-19 and the company's cooperation with investigators.
Marriott International disclosed a breach of its Starwood guest reservation database the following year. The breach had been running, undetected, since 2014 — a five-year window during which data on up to 339 million guests, including payment card details, was accessible to attackers. The ICO fined Marriott £18.4 million.
Both cases follow the same pattern: inadequate security controls, a breach that went undetected far too long, and regulatory consequences that dwarfed what the proper security measures would have cost.
How PCI DSS Fines Actually Work
There's a common misunderstanding about where PCI fines come from. Unlike ICO penalties under GDPR, they don't arrive as a direct letter from a government regulator. Instead, Visa and Mastercard levy penalties through your acquiring bank, which then passes those costs down to you as the merchant. The mechanism is contractual, not statutory — but the financial effect is identical.
The structure typically works like this: if you're found to be non-compliant, your acquirer notifies you and sets a deadline to achieve compliance. During that period, the card brands fine the acquirer for your non-compliance status, and those charges are passed straight through to your business. The fees run from roughly £5,000 to £100,000 per month, depending on the severity of the gaps and your merchant level.
The amounts escalate over time. Miss the first deadline and the monthly charge increases. At six months without resolution, some card brands move to consider termination of your right to accept their cards.
A breach changes the picture entirely. Once cardholder data has been compromised, additional penalty mechanisms kick in:
Card replacement costs are substantial and often overlooked. When cards are compromised, issuers have to replace them — and the cost per replacement card typically runs to $5–10 each. A breach affecting 50,000 cards can generate $250,000–$500,000 in replacement costs alone, charged back to the merchant who failed to protect the data.
Forensic investigation costs are mandatory, not optional. Whenever a breach is suspected, the card brands require a forensic audit conducted by a PCI Forensic Investigator. These investigations cost between £50,000 and £500,000 depending on the complexity of your environment and the scope of the breach. You don't get to choose whether to have one; it's a requirement.
Fraud liability is the longest-running cost. For a set period after a breach, non-compliant merchants can be held liable for fraudulent transactions on the compromised cards. This is separate from the fines and can run into six or seven figures for larger incidents.
The Operational Consequences: What Disrupts Businesses Most
For businesses with strong balance sheets, the fines may be survivable. What's harder to survive is what happens to your operations.
The most severe consequence is losing the right to process card payments entirely. Mastercard and Visa can, and do, terminate merchants' ability to accept their cards when non-compliance is persistent or when a breach is particularly serious. For any business that relies on card payments — which is almost every business — this is existential.
Before it reaches that point, you'll face mandatory changes to how you operate. After a breach, card brands typically require you to move up to Level 1 PCI compliance — the most stringent tier. Level 1 requires an annual on-site assessment by a Qualified Security Assessor and quarterly network scans. These programmes routinely cost £30,000–£100,000 per year to maintain, on top of the initial remediation work that led to the upgrade requirement.
Your transaction costs will increase regardless. Acquiring banks treat non-compliant merchants as higher risk, and they price that risk into your per-transaction fees. A business processing £1 million per month in card transactions facing an additional 0.2–0.5% due to non-compliance status pays £2,000–£5,000 in extra monthly costs — indefinitely, until compliance is demonstrated and maintained.
The reputational damage is harder to put a number on but just as real. Under GDPR in the UK, breaches affecting personal data must be reported to the ICO within 72 hours. When that notification becomes public — and it usually does — customer trust erodes fast. Research consistently shows a meaningful percentage of consumers stop using companies that have suffered data breaches. For businesses where trust is central to the relationship, such as financial services, healthcare, or professional services, that customer attrition can exceed the direct financial penalties by a wide margin.
What PCI Non-Compliance Looks Like for Typical UK Businesses
The large fines attract headlines, but most PCI non-compliance cases don't involve global hotel chains. They involve small and mid-sized businesses that have grown quickly, added phone payment capabilities without thinking through the security implications, or inherited legacy systems that were never properly assessed.
A common scenario: a contact centre starts recording calls to improve quality. Nobody thinks to pause recordings when customers read out their card number. Two years later, the business has thousands of hours of recordings containing unencrypted cardholder data on a server. When this is discovered during a PCI assessment, the remediation process involves not just securing the system going forward, but dealing with the historic recordings that were never properly protected.
Another pattern that comes up repeatedly: a business uses a VoIP phone system and processes payments with agents who see and hear full card numbers on screen. When a QSA audits the environment, the entire phone system, all the servers it touches, every endpoint connected to the network, and every employee who handles calls is now in scope for PCI. What should be a contained compliance programme becomes a six-figure exercise covering most of the business's infrastructure.
The Costs Add Up Faster Than Most Businesses Expect
To put it in concrete terms, here's a realistic picture of what a breach and the resulting non-compliance process costs a mid-sized UK business:
Monthly non-compliance fees from your acquirer during remediation: £5,000–£25,000 per month. If remediation takes six months, that's up to £150,000 in fees before any breach costs.
Mandatory forensic investigation: £50,000–£200,000 for a medium-complexity environment. More if your infrastructure is complex or geographically distributed.
Card replacement liability if you're found responsible: varies widely, but £50,000–£500,000 is realistic for a breach affecting tens of thousands of cards.
Remediation work — patching systems, implementing encryption, upgrading infrastructure: £20,000–£100,000 for a business of modest scale.
Ongoing Level 1 compliance programme once you're required to move up: £30,000–£100,000 per year.
ICO fine under UK GDPR if personal data was involved — separate from PCI penalties: up to £17.5 million or 4% of global turnover.
For a business processing a few hundred thousand pounds per month in card transactions, the total exposure from a single breach can reach £500,000 to £1 million before reputational impact is factored in.
The Smarter Approach: Descoping Rather Than Remediating
The most effective response to PCI compliance risk isn't trying to secure a complex, high-scope environment. It's reducing that scope so that most of your systems and processes simply don't touch cardholder data in the first place.
This is what descoping means in practice. When card data never enters your environment — never passes through your call recordings, never reaches your agents' desktops, never sits on your servers — those systems aren't in scope for PCI assessment. You can't fail an audit of infrastructure that has no cardholder data in it.
Paytia's approach is straightforward. When a customer pays by phone using Paytia's platform, their card details go straight from their phone keypad to Paytia's PCI DSS Level 1 certified environment. DTMF masking suppresses the tones representing the card number — your agent can't hear them, your call recording system can't capture them. The payment processes, the customer gets confirmation, and your environment has never seen the card data.
The compliance implications are significant. A business that previously had 50 systems in scope for PCI assessment because agents were handling card payments can reduce that number to near zero. The monthly assessment cycle, the quarterly network scans, the annual QSA visits — all of that applies to a much smaller footprint, or potentially none of your systems at all.
We've seen businesses cut their annual PCI compliance costs by 70–90% through descoping alone. Not by investing in more security technology for their existing environment, but by keeping card data out of that environment entirely.
Waiting Is the Expensive Option
The businesses that end up with the worst outcomes tend to be the ones that knew they had compliance gaps but kept deferring the fix. The monthly non-compliance fee feels manageable. The breach feels unlikely. The QSA audit is still six months away.
Then something goes wrong — a breach, a complaint from a card issuer, a failed audit — and suddenly they're negotiating with their acquirer, funding a forensic investigation, and wondering whether they'll still be able to process card payments in three months.
The economics of prevention versus remediation aren't close. A proper descoping exercise and the right payment infrastructure costs a fraction of what it costs to deal with the aftermath of a breach. And it removes not just the fine risk, but the operational disruption, the reputational damage, and the years of heightened compliance scrutiny that follow a serious incident.
If your contact centre or telephone payment process involves agents hearing card data, or if you're recording calls without suppressing cardholder information, that's where to start. Talk to Paytia about how descoping your phone payments works and what it would take to reduce your compliance risk from day one.
Visa and Mastercard Fine Structures: The Detail Businesses Don't Expect
The card brand fine structures are more granular than most businesses realise, and understanding how they're applied helps explain why non-compliance situations can escalate so quickly.
Visa operates a tiered compliance programme. Tier 1 non-compliance — businesses that are out of compliance but have had no breach — generates monthly fees starting at $5,000 per month. These increase progressively at 30, 60, and 90 days. At 180 days without resolution, Visa can move to disqualification proceedings, which would remove your ability to accept Visa cards.
Mastercard's structure is similar but has historically been slightly more aggressive at the escalation points. The fees are applied to your acquirer first, but most acquiring agreements include pass-through provisions for compliance-related charges, so the cost lands with the merchant.
Importantly, these fees are applied per violation category, not as a single monthly total. A business that has multiple compliance gaps — inadequate encryption, insufficient access controls, and missing audit logging — can face multiple concurrent fine tracks. This is how non-compliance situations that seem manageable on paper become significant in practice.
American Express operates a similar structure through its OptBlue and direct acquirer programmes. For businesses with significant Amex transaction volumes, a separate compliance track with Amex adds another layer to the remediation process.
The GDPR Dimension: When PCI Meets Data Protection Law
PCI DSS and UK GDPR are separate frameworks, but a cardholder data breach triggers both. This matters because the consequences from the ICO are in addition to, not instead of, the card brand penalties.
Under UK GDPR, a breach that exposes personal data — and a card breach almost always involves personal data, since card numbers are linked to named individuals — must be reported to the ICO within 72 hours of becoming aware of it. If the breach is also likely to result in a high risk to the rights and freedoms of affected individuals, those individuals must be notified directly without undue delay.
The ICO's maximum fines under UK GDPR are £17.5 million or 4% of global annual turnover, whichever is higher. In practice, the ICO has shown willingness to levy substantial fines against businesses that have failed to implement appropriate technical and organisational measures — which is exactly what a PCI DSS failure usually represents.
The British Airways case illustrates the layering. The ICO fine of £20 million was under GDPR, not PCI DSS. The card brand penalties and forensic investigation costs were separate from that. For a company of BA's size, the total compliance-related cost of that single breach ran into tens of millions of pounds once all elements were counted.
For smaller businesses, the proportionality of ICO fines tends to mean lower absolute amounts — the ICO takes company size and ability to pay into account. But the reputational and operational consequences are proportionally larger for smaller organisations that have less capacity to absorb disruption.
What Happens When a QSA Finds Non-Compliance
Qualified Security Assessors conduct on-site PCI assessments for Level 1 merchants and are increasingly used by Level 2 merchants as well. Understanding what happens when they find a problem is useful, because the process isn't the same as being fined on the spot.
When a QSA identifies a compliance gap, they issue a finding in their report. If the gap is material, it results in a failed assessment — no Report on Compliance (RoC) for that year. The merchant's acquiring bank is notified, and the clock starts on the remediation timeline.
The QSA will typically provide a remediation roadmap — a list of specific controls that need to be implemented or verified before a passing assessment can be issued. The business then has to remediate those gaps and either bring the QSA back for a follow-up assessment or, in some cases, demonstrate compliance through evidence submission.
This process takes time. Between the failed assessment, the remediation work, and the follow-up validation, it's common for three to six months to pass — during which the monthly non-compliance fees are running.
For businesses that have never been through a formal PCI assessment, a QSA audit is often the moment when the actual scope of their compliance obligations becomes clear. The finding that agents can hear card numbers on calls, or that call recordings contain unmasked PAN data, is a significant escalation from "we haven't thought about this" to "we have a documented compliance failure with a remediation deadline."
Building the Right Foundation Before Problems Arise
The businesses that handle PCI compliance most effectively are the ones that built it into their payment architecture from the start, rather than trying to retrofit it after a QSA visit or a breach.
For contact centres specifically, this means making sure that agents never see or hear card data. Not through policy alone — policies fail — but through technology that makes it structurally impossible for card data to enter the agent environment. DTMF masking for phone payments, secure payment links for digital wallet or card-not-present transactions, and IVR payment flows for self-service channels all achieve this in different ways.
The compliance cost savings from getting this right upfront are substantial. A business that descopes its contact centre from card data handling before its first QSA audit faces a simpler, cheaper assessment than one that has to remediate years of accumulated exposure.
Speak to Paytia if you're working through a compliance assessment or building new payment capabilities. We've helped businesses in financial services, utilities, healthcare, and contact centre environments sort out their phone payment security, and we can walk you through what the right architecture looks like for your specific situation.
Frequently Asked Questions
What's the maximum PCI DSS fine?
There's no fixed maximum. Card brands can levy fines of up to $100,000 per month per violation through your acquirer, and those charges run until compliance is achieved. Separately, ICO fines under UK GDPR for personal data breaches can reach £17.5 million or 4% of global annual turnover.
Who actually pays the PCI fine — the business or the bank?
Card brands fine the acquiring bank, which passes the cost to the merchant. Practically speaking, the business pays — the acquirer is just the intermediary in the process.
Can a business lose the ability to accept card payments?
Yes. Mastercard and Visa can terminate a merchant's right to accept their cards for persistent non-compliance or after a serious breach. It's the nuclear option, but it happens.
Is PCI DSS a legal requirement in the UK?
PCI DSS is a contractual requirement, not a law — imposed by the card brands through your agreement with your acquiring bank. However, a breach that exposes personal data triggers UK GDPR obligations, which are a legal requirement, and the ICO can fine accordingly.
How does Paytia reduce PCI compliance burden?
Paytia uses DTMF masking and channel separation to keep card data out of your environment entirely. When your systems never touch cardholder data, they don't fall within PCI scope — which means lower compliance costs, fewer systems to audit, and significantly reduced breach risk.
