The fines for PCI non-compliance aren't the worst part of the story, and that's the bit most coverage gets wrong. The forensic investigation that follows a breach, the acquirer escalation that lands the week after disclosure, and the loss of card-acceptance privileges if it all goes badly — those are the financial events that take businesses down. The structured PCI fines, when they come, are an add-on. But they're real, they're published in the card schemes' operating rules, and most merchants don't understand who actually levies them. This piece walks through who issues PCI penalties, the published bands, the bigger costs that arrive first, and the UK regulatory overlay that runs on a separate track.
The honest summary up front: PCI DSS itself doesn't issue fines. The PCI Security Standards Council writes the standard and runs the qualification programmes for assessors. The fines flow through the card schemes — Visa, Mastercard, American Express, Discover, JCB — into the acquirers, who pass the costs to merchants under their contracts. There's a separate track for personal-data fines in the UK, run by the Information Commissioner's Office under UK GDPR and the Data Protection Act 2018. A merchant who suffers a card-data breach is typically exposed to both at once.
Who actually issues PCI fines#
The PCI Security Standards Council — the body that publishes PCI DSS — is a standards organisation, not an enforcement body. It writes the rules, accredits Qualified Security Assessors, and runs the certification programmes. It doesn't have direct authority to fine a merchant for non-compliance. That authority sits with the five founding card brands, who each maintain their own compliance programmes built on top of PCI DSS. Our PCI DSS overview walks through how the standard itself fits into the wider ecosystem.
Visa publishes its rules through the Visa Core Rules and the Visa Product and Service Rules. Mastercard publishes its Security Rules and Procedures. American Express, Discover and JCB each have their own equivalent documents. All five reference PCI DSS as the underlying standard. When a merchant fails to meet PCI DSS, what they're actually breaching is the card brand's operating rules — which they accepted when their acquirer signed them up to accept cards.
The enforcement chain runs through the acquirer. The card scheme fines the acquiring bank, and the acquirer-merchant contract gives the acquirer the right to pass those costs on to the merchant. That's why fine letters arrive on acquirer letterhead rather than from Visa directly. It's also why the actual fine amount a merchant pays can be different from the card scheme's published band — the acquirer has some discretion about what to absorb and what to pass through, depending on the merchant relationship and the breach circumstances.
The published fine bands — structure rather than specific numbers#
Both Visa and Mastercard publish the structure of their fine programmes in their operating rules, even though the specific dollar amounts move year to year and aren't always public to non-members. Two programmes dominate the contact-centre and merchant world.
Visa's Account Data Compromise Recovery programme (ADCR — sometimes also called Account Data Compromise Recovery Process, ADCRP) handles the post-breach reimbursement and fining process. It has two components: operating expenses paid by the responsible party for the cost of the investigation and reissuance, and incremental counterfeit fraud recovery paid against the actual losses on the compromised accounts. Per-account amounts published in industry coverage typically run in the low single-digit dollars per compromised card up to higher figures depending on the merchant's level and history.
Mastercard's Account Data Compromise programme runs in parallel and follows similar logic — an issuer-recovery component for reissuance and fraud, plus a penalty component for the underlying non-compliance.
Separate from breach-related fines, both schemes have ongoing non-compliance penalties for merchants who fail to file their annual PCI assessment or whose ASV scans repeatedly fail. These are typically structured as monthly fines that escalate the longer the non-compliance runs, with published bands in industry reporting ranging from low five-figure monthly amounts for early-stage non-compliance up to six-figure monthly amounts for sustained failure at higher merchant levels. The exact figures change and are tied to the acquirer's contract — what to plan for is the structure, not the specific number: it escalates, it compounds, and it doesn't stop until you become compliant.
The costs that hit before the fines do#
The fines themselves are the back end of the cost stack. Three earlier costs land sooner and usually hit harder.
First is the PCI Forensic Investigation. The moment a card-data breach is suspected, the card scheme can require the merchant to engage a PFI (PCI Forensic Investigator) from the PCI Council's qualified list. PFI engagements typically run from low five figures for small breaches to high six figures for complex ones, with the merchant footing the bill regardless of whether a breach is confirmed. The PFI's report is what the schemes use to determine fault and to size any fine. The cost of the investigation routinely exceeds the cost of any subsequent fine.
Second is acquirer escalation. A breached merchant typically loses any commercial flexibility they had with their acquirer. Lower-rate merchant categories get re-priced. Hold-back reserves get increased. The acquirer demands more frequent assessments — quarterly ASV scans become monthly, monthly compliance reports become weekly. The carrying cost of all this is usually multiples of the fines themselves and runs for years.
Third is the existential threat: suspension or termination of card-acceptance privileges. The card schemes can, in serious cases, force the acquirer to terminate the merchant's account, which means the merchant loses the ability to take card payments altogether until a new acquirer accepts them — usually at much worse rates, and not always at all. For most businesses, "we can't take cards" is the end of the business. It's rare, but it's the option that sits behind every other enforcement action.
UK regulatory overlay — the ICO runs on a separate track#
Card data is personal data. A PCI breach is also a data-protection breach. In the UK that puts the Information Commissioner's Office on the case in parallel to anything the card schemes do, and the ICO's regime is published, enforceable, and large.
UK GDPR and the Data Protection Act 2018 give the ICO two civil monetary penalty tiers. The standard maximum is the greater of £8.7 million or 2% of annual worldwide turnover for the prior financial year. The higher maximum is the greater of £17.5 million or 4% of annual worldwide turnover. Card-data breaches typically fall into the higher tier because they involve special-category-adjacent financial data and usually have an element of avoidable security failure. The ICO's published penalty notices show the kinds of facts that drive them towards the higher tier — failure to encrypt at rest, failure to apply available patches, failure to follow basic logging discipline, late breach notification.
The 72-hour breach notification rule under UK GDPR Article 33 applies independently of any PCI notification timeline. A merchant who learns of a breach has 72 hours to notify the ICO, regardless of whether the card schemes have been told yet. Missing that window is itself an enforcement matter the ICO weighs separately from the breach.
So the UK picture for a serious breach is: card-scheme fines via the acquirer, plus ICO civil monetary penalty, plus PFI costs, plus acquirer escalation, plus whatever civil litigation comes from affected customers. The ICO penalty alone can be the largest individual line on the bill.
The two ways merchants actually get caught#
Most merchants who end up in the enforcement chain get there one of two ways.
The first is a breach disclosure. Either the acquirer's monitoring picks up an unusual fraud signature traced back to the merchant, a card brand's CPP (Common Point of Purchase) analysis identifies the merchant as the likely source of a batch of compromised cards, or the merchant discovers the breach itself and discloses it. In every case the clock then starts: PFI engagement, scheme notification, ICO notification, and the fine programmes run their course. Disclosure isn't optional — failing to disclose a known breach is itself a separate enforcement matter under both the card-scheme rules and UK GDPR.
The second is annual non-compliance. The merchant fails to file the annual SAQ on time, fails the ASV scan and doesn't remediate, or files an SAQ that the acquirer or QSA can't accept. The card scheme's non-compliance fining programme triggers without any breach having occurred. For contact-centre operators specifically, the wider v4.0.1 picture sits in our PCI DSS v4.0 call centre guide. This is the quieter route and the more common one — most merchants who pay PCI fines have never had a breach; they've just let the paperwork slip. Our guide to PCI compliance auditing walks through the annual cycle in more detail.
How to not be the cautionary tale#
The escape from this stack of risk is the same as the escape from the cost stack — descope the cardholder data environment until there's much less to lose. The single biggest descoping move for any business that takes phone payments is putting DTMF masking between the customer's keypad and the contact-centre network, so the cardholder data environment is just the masking layer itself rather than the agent floor, the recordings, the CRM and the supporting systems. A breach can't expose data that never entered the environment in the first place.
The second move is to use a Level 1 service provider for the surfaces you can't descope, so the fine exposure on those surfaces sits with the provider rather than with you. Paytia's been a PCI DSS Level 1 service provider since 2016 specifically so customers can lean on our Attestation of Compliance to shrink their own scope. Our overview of how Paytia helps with PCI compliance covers which surfaces fit that pattern.
The third — almost embarrassingly basic — is to file the annual SAQ on time, every year, every line. Most ongoing non-compliance fines exist because the paperwork lapsed, not because the security did. The cardholder data environment guide covers the scoping work that makes the SAQ tractable in the first place, and our explainer on what descoped actually means shows where the savings come from.
If you want to see how much of your environment could come out of scope, the conversation starts with mapping where card data actually flows today versus where it needs to. We do that mapping with customers on the first call — happy to do it with you.
