The fines for PCI non-compliance aren't the worst part of the story, and that's the bit most coverage gets wrong. The forensic investigation that follows a breach, the acquirer escalation that lands the week after disclosure, and the loss of card-acceptance privileges if it all goes badly — those are what actually take businesses down. The structured PCI fines, when they come, are an add-on. But they're real, they're published in the card schemes' operating rules, and most merchants don't understand who actually levies them. This piece walks through who issues PCI penalties, the published bands, the bigger costs that arrive first, and the UK regulatory overlay that runs on a separate track.
The honest summary up front: PCI DSS itself doesn't issue fines. The PCI Security Standards Council writes the standard and runs the qualification programmes for assessors. The fines flow through the card schemes — Visa, Mastercard, American Express, Discover, JCB — into the acquirers, who pass the costs to merchants under their contracts. There's a separate track for personal-data fines in the UK, run by the Information Commissioner's Office under UK GDPR and the Data Protection Act 2018. A merchant who suffers a card-data breach is typically exposed to both at once. And since March 2024 the version that matters is PCI DSS v4.0 (now v4.0.1) — v3.2.1 retired, and a clutch of v4 requirements that were future-dated became mandatory on 31 March 2025. Anyone still planning against v3.2.1 is already non-compliant.
What "PCI DSS fines for non-compliance" actually means in 2026#
People search "PCI DSS fines" expecting a price list. There isn't one. There are three different cost streams that get lumped together as "the fine", and they each have their own rules, their own triggers, and their own enforcers:
- Card-scheme non-compliance fines — monthly penalties for failing to file your annual assessment, failing ASV scans, or running unsupported scope. Visa and Mastercard publish the structure; the acquirer applies it.
- Card-scheme breach assessments — Visa's Account Data Compromise Recovery (ADCR) and Mastercard's Account Data Compromise (ADC) programmes, triggered after a confirmed breach. These cover issuer reimbursement, fraud recovery, and a penalty layer.
- Regulatory fines for the personal-data breach — in the UK the ICO under UK GDPR, in the EU the lead supervisory authority under the GDPR, in the US a patchwork of state attorneys general and the FTC.
The card-scheme programmes and the regulatory regimes run in parallel. A breached merchant is exposed to all three at once. The amount published by a card scheme is not the amount the merchant pays — the acquirer's contract is what determines pass-through, and acquirers routinely add their own administrative penalties on top.
Who actually issues PCI fines#
The PCI Security Standards Council — the body that publishes PCI DSS — is a standards organisation, not an enforcement body. It writes the rules, accredits Qualified Security Assessors, and runs the certification programmes. It doesn't have direct authority to fine a merchant for non-compliance. That authority sits with the five founding card brands, who each maintain their own compliance programmes built on top of PCI DSS. Our PCI DSS overview walks through how the standard itself fits into the wider ecosystem.
Visa publishes its rules through the Visa Core Rules and the Visa Product and Service Rules. Mastercard publishes its Security Rules and Procedures. American Express, Discover and JCB each have their own equivalent documents. All five reference PCI DSS as the underlying standard. When a merchant fails to meet PCI DSS, what they're actually breaching is the card brand's operating rules — which they accepted when their acquirer signed them up to accept cards.
The enforcement chain runs through the acquirer. The card scheme fines the acquiring bank, and the acquirer-merchant contract gives the acquirer the right to pass those costs on to the merchant. That's why fine letters arrive on acquirer letterhead rather than from Visa directly. It's also why the actual fine amount a merchant pays can be different from the card scheme's published band — the acquirer has some discretion about what to absorb and what to pass through, depending on the merchant relationship and the breach circumstances.
The published fine bands — structure rather than specific numbers#
Both Visa and Mastercard publish the structure of their fine programmes in their operating rules, even though the specific dollar amounts move year to year and aren't always public to non-members. Two programmes dominate the contact-centre and merchant world.
Visa's Account Data Compromise Recovery programme (ADCR — sometimes also called Account Data Compromise Recovery Process, ADCRP) handles the post-breach reimbursement and fining process. It has two components: operating expenses paid by the responsible party for the cost of the investigation and reissuance, and incremental counterfeit fraud recovery paid against the actual losses on the compromised accounts. Per-account amounts published in industry coverage typically run in the low single-digit dollars per compromised card up to higher figures depending on the merchant's level and history.
Mastercard's Account Data Compromise programme runs in parallel and follows similar logic — an issuer-recovery component for reissuance and fraud, plus a penalty component for the underlying non-compliance.
Separate from breach-related fines, both schemes have ongoing non-compliance penalties for merchants who fail to file their annual PCI assessment or whose ASV scans repeatedly fail. These are typically structured as monthly fines that escalate the longer the non-compliance runs, with published bands in industry reporting ranging from low five-figure monthly amounts for early-stage non-compliance up to six-figure monthly amounts for sustained failure at higher merchant levels. The exact figures change and are tied to the acquirer's contract — what to plan for is the structure, not the specific number: it escalates, it compounds, and it doesn't stop until you become compliant.
The costs that hit before the fines do#
The fines themselves come last. Three earlier costs land sooner and usually hit harder.
First is the PCI Forensic Investigation. The moment a card-data breach is suspected, the card scheme can require the merchant to engage a PFI (PCI Forensic Investigator) from the PCI Council's qualified list. PFI engagements typically run from low five figures for small breaches to high six figures for complex ones, with the merchant footing the bill regardless of whether a breach is confirmed. The PFI's report is what the schemes use to determine fault and to size any fine. The cost of the investigation routinely exceeds the cost of any subsequent fine.
Second is acquirer escalation. A breached merchant typically loses any commercial flexibility they had with their acquirer. Lower-rate merchant categories get re-priced. Hold-back reserves get increased. The acquirer demands more frequent assessments — quarterly ASV scans become monthly, monthly compliance reports become weekly. The carrying cost of all this is usually multiples of the fines themselves and runs for years.
Third, and worst: suspension or termination of card-acceptance privileges. The card schemes can, in serious cases, force the acquirer to terminate the merchant's account, which means the merchant loses the ability to take card payments altogether until a new acquirer accepts them — usually at much worse rates, and not always at all. For most businesses, "we can't take cards" is the end of the business. It's rare, but it's the option sitting behind every other enforcement action.
UK regulatory overlay — the ICO runs on a separate track#
Card data is personal data. A PCI breach is also a data-protection breach. In the UK that puts the Information Commissioner's Office on the case in parallel to anything the card schemes do, and the ICO's regime is published, enforceable, and large.
UK GDPR and the Data Protection Act 2018 give the ICO two civil monetary penalty tiers. The standard maximum is the greater of £8.7 million or 2% of annual worldwide turnover for the prior financial year. The higher maximum is the greater of £17.5 million or 4% of annual worldwide turnover. Card-data breaches typically fall into the higher tier because they involve special-category-adjacent financial data and usually have an element of avoidable security failure. The ICO's published penalty notices show the kinds of facts that drive them towards the higher tier — failure to encrypt at rest, failure to apply available patches, failure to follow basic logging discipline, late breach notification.
The 72-hour breach notification rule under UK GDPR Article 33 applies independently of any PCI notification timeline. A merchant who learns of a breach has 72 hours to notify the ICO, regardless of whether the card schemes have been told yet. Missing that window is itself an aggravating factor when the ICO sizes its fine.
UK case studies — what actually got fined and why#
The ICO publishes every monetary penalty notice on its website. Read enough of them and a pattern emerges: the fine itself is rarely the headline. The aggravating factors — what the regulator says the organisation should have done — are the part worth learning from. A few UK cases that any contact-centre operator handling cards should know:
British Airways (2020). The ICO's notice of intent in 2019 proposed £183 million for the 2018 Magecart attack that scraped roughly 429,000 customer records, including payment-card data. The final penalty in October 2020 was £20 million — reduced for the pandemic and BA's remediation, but the published reasoning is the part to read. The ICO found BA had failed to limit access, hadn't applied multi-factor authentication, hadn't tested for the relevant attack class, and hadn't detected exfiltration that ran for two weeks. Every one of those is a control PCI DSS requires explicitly. The card-scheme assessments ran separately.
Marriott International (2020). Originally £99 million proposed, reduced to £18.4 million. The breach predated Marriott's acquisition of Starwood but Marriott inherited the systems and the exposure. The ICO penalised the failure to assess the acquired estate properly — a useful precedent for any merchant integrating a new acquisition's payment platform.
Ticketmaster UK (2020). £1.25 million for a 2018 breach via a chatbot supplied by a third party. Card data was skimmed off the payment page. The ICO singled out the failure to assess the third-party script's risk before deploying it on a checkout page — directly relevant to any contact centre using third-party widgets or scripts on payment workflows.
Carphone Warehouse (2018). £400,000 under the predecessor regime (the Data Protection Act 1998) for a breach that exposed roughly 3 million customer records and card data. The notice cited unpatched WordPress installations, weak access controls, and inadequate logging. The cap then was £500,000; under UK GDPR the same facts would carry exposure of tens of millions.
The thread running through all four: PCI DSS would have required the controls the ICO found missing. Pass PCI and you make the ICO's higher tier harder to land. Fail PCI and you've effectively pre-conceded the aggravating-factors argument.
EU regulators — the GDPR runs on the same logic but bigger numbers#
Outside the UK the GDPR fine ceilings are identical in structure but uncapped at the higher end because the 4% applies to global turnover. EU supervisory authorities have been more willing than the ICO to land at the top of the band:
Meta (Ireland, 2023). €1.2 billion from the Irish Data Protection Commission — not for a payment breach, but it sets the ceiling and shows the regulators will use it. The DPC's reasoning was about transfers, not card data, but the precedent matters for any contact centre offshoring card capture without proper safeguards.
Amazon (Luxembourg, 2021). €746 million from Luxembourg's CNPD — at the time the largest GDPR fine ever issued. Not card-data-specific, but illustrative of where the European regulators sit on the curve.
H&M (Germany, 2020). €35.3 million from Hamburg's data-protection authority for excessive employee surveillance and data retention. Specifically relevant for contact centres: the case turned on call recordings and the information the recordings revealed. If you record calls that contain card data and don't pause/mute properly, you're sitting on the same risk vector — and our guide on PCI compliance and call recording goes into the controls needed.
EU supervisory authorities are required to cooperate through the European Data Protection Board when a breach affects citizens in multiple member states. That co-operation lengthens the investigation but it doesn't reduce the fine — if anything it tends to push it higher because multiple authorities each contribute aggravating findings.
US regulators — the FTC, state AGs, and PCI all overlap#
The US has no federal data-protection law equivalent to GDPR, but the enforcement is just as real and runs through more bodies. Any merchant taking US cards needs to understand the layers:
Federal Trade Commission. Under Section 5 of the FTC Act, the FTC pursues "unfair or deceptive" practices, and inadequate security has been treated as both. The FTC has settled with dozens of merchants for poor card-data security since 2010 — Wyndham, LabMD, TJX, Target, and many smaller cases. Settlements typically include monetary components plus 20-year consent orders requiring annual third-party security assessments. The carrying cost of a 20-year consent order frequently exceeds the upfront fine.
State Attorneys General. Forty-eight states plus DC and territories have breach-notification laws. California (under CCPA/CPRA), New York (under the SHIELD Act and DFS Cybersecurity Regulation), Massachusetts, and Illinois are the most active enforcers. State AGs frequently file together — the Target breach drew a $18.5 million multi-state settlement across 47 states. The Equifax breach drew $575 million across the FTC, CFPB, and 48 states combined.
New York DFS Part 500. Financial-services firms regulated by New York's Department of Financial Services have to comply with 23 NYCRR Part 500, which has its own annual certification and breach-notification regime running in parallel to PCI and the state AG. Penalties have run into eight figures.
For a UK or EU merchant taking US card-not-present payments, the practical exposure is to all three layers at once. PCI is the floor.
How descoping actually reduces the fine exposure#
Every line of analysis above leads to the same answer: the way to reduce fine exposure is to reduce the data you hold. If cardholder data never enters your environment, the PCI scope shrinks, the breach surface shrinks, and the ICO's aggravating-factors argument loses its teeth.
For contact centres, this is what DTMF masking and channel separation do. The caller types card digits on their phone keypad. The tones are intercepted before they reach the agent, the recorder, the CRM, or the network. The agent stays on the call, can hear the caller, and can confirm completion — but never hears or sees the digits and the recording captures silence or a flat tone where the card would have been. The data goes straight to the payment processor. Nothing about the card sits in your environment after the call ends.
That single control change moves a contact centre from PCI DSS SAQ D (the full ~330-question assessment) to SAQ A (the short ~30-question version). It also takes the contact centre out of the population that can be implicated in card-data breaches — because the cards aren't there to be breached. The ICO can't fine you for losing data you didn't have. The card schemes can't run an ADCR assessment against a merchant whose systems were never compromised. The forensic investigator's report becomes much shorter and much cheaper. Our PCI compliance cost breakdown walks through the savings numerically; for a 50-seat contact centre the difference between SAQ D and SAQ A typically runs into six figures annually before any breach scenario.
The same logic applies to payment links for follow-up payments, telephone payments for agent-assisted flows, and the wider work we do with contact centres. The product changes; the principle doesn't. Hold less data, fine fewer factors apply.
What to do before any of this becomes your problem#
If you're reading this because you already think there might be a problem, the order matters. First: confirm whether you're inside or outside PCI scope. Most contact centres are inside, even when they think they aren't. Second: read your acquirer agreement. The fines clause, the indemnity clause, and the assessment-frequency clause are the three to find. Third: review your last QSA report or SAQ, and check whether the v4.0.1 future-dated requirements that became mandatory in March 2025 are in scope and addressed. Fourth: if you do any of card-not-present payments by phone, work out where the data actually flows. If a single agent ever hears or sees a card digit, the cardholder-data environment includes that agent's headset, screen, network, and recording.
From there it's a scoping decision. Either invest in the controls PCI DSS v4 requires across that environment, or move the data out of the environment so the controls aren't your problem. The second is cheaper, faster, and more durable. It's also what regulators reward — the ICO's published guidance treats organisations that demonstrably minimise data as having addressed their accountability principle, which materially reduces fine exposure when something does go wrong.
The realistic 2026 fine picture#
Stripping out the hype, what a UK contact centre is actually exposed to in 2026 looks like this:
- Routine non-compliance (missed assessment, failed ASV). Acquirer non-compliance penalty: typically £5,000–£25,000 per month, escalating. Usually negotiable on first occurrence, not on the third.
- Breach with no card-data loss but PCI gaps found. Card-scheme breach assessment small, ICO interest minimal, but acquirer escalation severe. PFI fees £30,000–£150,000. Realistic total: £100,000–£500,000 over 18 months.
- Confirmed breach with cards lost. Card-scheme ADCR/ADC into the high six figures or low seven figures depending on volume. ICO fine into the seven figures realistically. PFI into the six figures. Reissuance, fraud reimbursement, brand damage, customer remediation on top. Realistic range £2 million to tens of millions.
- Catastrophic breach with systemic failure. The BA/Marriott pattern. Eight figures from the ICO, eight figures from card schemes, plus customer class actions. Anything from £20 million upward, with the high end open-ended at 4% of global turnover.
Those bands are the planning numbers. They're not a quote. The way to make them irrelevant is to take card data out of your environment so the events that trigger them can't happen on your watch. That's what we built Paytia to do — and it's why the conversations we have with finance directors aren't really about software, they're about which line item in next year's risk register they want to delete.
Frequently asked questions about PCI DSS fines#
Are PCI DSS fines public?
The card schemes' fine bands are published in their operating rules; the specific dollar amounts move year to year and aren't always public to non-members. Individual merchant fines are almost never published by Visa or Mastercard. ICO fines and FTC settlements are published — the ICO posts every monetary penalty notice and the FTC publishes its settlement orders. If you want to see what real enforcement looks like, those are the documents to read.
What's the biggest PCI DSS fine ever issued?
It depends what you count. The card schemes don't publish individual merchant penalties, so the biggest public number is usually a combined breach-and-data-protection figure. The Equifax 2017 breach settlement reached $575 million across the FTC, CFPB, and 48 US states. Home Depot's 2014 breach settled in aggregate above $200 million across card schemes, regulators, and customer class actions. In the UK, BA's £20 million ICO fine is the largest published card-related penalty so far.
Who pays the PCI fine — the merchant or the acquirer?
The card scheme fines the acquirer. The acquirer-merchant contract gives the acquirer the right to pass it on, and in practice it does. The fine letter you receive will be on acquirer letterhead. The amount may be different from the card scheme's published figure because the acquirer can add or subtract under its contract.
Does PCI DSS v4.0.1 change the fine structure?
The fines come from the card schemes, not from PCI DSS itself, so the structure is unchanged. What v4.0 (and the v4.0.1 update) did change is the scope of what counts as compliant. Several controls that were future-dated became mandatory on 31 March 2025 — targeted risk analyses, customised approach options where used, additional anti-skimming controls on payment pages, and tighter requirements around scoping for service providers. A merchant who's still assessed against v3.2.1 is out of compliance and exposed to the non-compliance penalty track. Our PCI DSS v4 phone-payments checklist walks through what changed for contact centres.
What's the minimum PCI fine?
There isn't a published minimum. Acquirer non-compliance penalties for a missed assessment typically start in the low five figures monthly, but acquirers regularly waive or reduce first-occurrence penalties for merchants in good standing. A small Level 4 merchant who files their SAQ A late and then files it correctly will often see no charge at all. A Level 2 merchant who repeats the lapse should expect to pay.
Can the ICO and the card schemes both fine me for the same breach?
Yes. They're separate regimes. The ICO is enforcing UK GDPR — protection of personal data. The card schemes are enforcing their operating rules — protection of the card payment ecosystem. The same incident triggers both. Card data is personal data, but it's also payment data, and the two regimes don't coordinate their fines.
Will my cyber insurance cover PCI fines?
Read your policy. Many UK cyber policies explicitly exclude fines and penalties as a matter of public policy — the principle is that you shouldn't be able to insure against your own regulatory breach. Some policies cover the PFI fee, the legal costs, customer-notification costs, and credit-monitoring costs but not the fines themselves. Some cover ICO fines but not card-scheme assessments. Some cover neither. Assume nothing.
If I move to a descoped flow now, do past breaches still attract fines?
Yes — moving out of scope today doesn't retroactively clean up a breach that's already happened. But it does cap forward exposure, and regulators take remediation into account when sizing fines. The ICO has reduced more than one published fine after the merchant demonstrated they'd moved cardholder data out of the breached environment.
How do US state attorneys general interact with UK fines?
If your UK contact centre takes US cards, you're exposed to both. US state AGs typically pursue under state breach-notification laws and consumer-protection statutes; the ICO pursues under UK GDPR. The investigations are separate, the timelines are different, and neither reduces the other. The Target settlement and the Equifax settlement both included parallel UK regulatory action.
What's the fastest way to reduce my fine exposure?
Take card data out of the environment that takes the call. DTMF masking for inbound, payment links for follow-up, and proper channel separation for any flow that crosses systems. Less data, less scope, less exposure. The ICO's accountability principle rewards minimisation; the card schemes' assessment process gets shorter when there's less to assess.
