The True Cost of a PCI Data Breach

The number on the breach report isn't the number you'll pay

Annual breach-cost surveys quote averages, and averages are useful for board slides. They're not useful for a UK contact-centre business trying to work out what a card-data incident would actually cost. The headline figure underplays direct costs and badly underplays the indirect ones — the second category is usually larger and lasts longer. Below is what we've watched happen to businesses in our market.

Direct costs — the bills you'll pay in the first six months

A forensic investigation by a PCI Forensic Investigator typically runs into the tens to hundreds of thousands of pounds, scaled to the size of your environment and how cleanly you can hand over evidence. If the investigation finds that cardholder data was exposed, the card brands will levy fines through your acquirer; these are contractual, not regulatory, and the schedules aren't public, but they're material — typically several hundred thousand pounds for a notifiable card-brand breach, more if the brands judge you negligent.

On top of that you'll pay for customer notification, replacement card programmes administered by issuing banks, monitoring services for affected customers, and legal advice that runs from incident response through every regulator interaction. Most businesses underestimate notification costs because they only price the postage. The real cost is the call-centre uplift to handle inbound questions for weeks afterwards. What regulatory action looks like walks through the parallel reporting workflows in more detail.

Indirect costs — the ones that compound

The acquirer is the next problem. Once you've had a notifiable card breach, your merchant rates go up, your reserves go up, and in some cases the acquirer drops you and you spend months trying to find a new one with a high-risk-merchant premium baked into your pricing forever. A handful of UK businesses we've seen lost merchant status entirely after a breach and had to rebuild card acceptance from a worse starting position than they had at incorporation.

Then there's the ICO. Card data is personal data under UK GDPR, and a notifiable incident triggers a parallel investigation that the PCI process doesn't cover. ICO fines run on a separate schedule — the headline maximum is the higher of £17.5m or 4% of global turnover, but the realistic question is what the ICO finds when it asks how you stored, processed, and protected the data in the first place. If your PCI DSS compliance posture is patchy, the ICO will see the same patchiness from a UK GDPR angle.

Brand damage is the slowest-moving and the hardest to model. Customer churn after a breach is real but usually concentrated in your highest-value segment — the customers who pay closest attention are the ones who leave first. B2B contracts get harder; new prospects ask for AoCs and breach histories during procurement that they wouldn't have asked for before.

The cheaper alternative is descope, not better defence

The best response to a breach risk this expensive is to remove most of the data you'd otherwise have to defend. DTMF masking on telephone payments stops card numbers ever reaching agents, recordings, or your CRM. Tokenisation replaces stored PANs with reference values that have no value to an attacker. Together, they shrink the cardholder data environment down to the minimum surface that PCI DSS actually requires you to defend, which means the maximum size of any future breach is bounded by what you couldn't remove. The cost of getting there is small compared to the cost of one notifiable incident, and the case for doing it doesn't depend on a specific breach figure — it depends on whether you'd rather defend a small attack surface or a large one.

For the full feature set behind these recommendations, see our PCI DSS v4 solution.