When US businesses talk about PCI DSS non-compliance, the conversation usually jumps straight to fines. But the fines are just the beginning. The real story is what happens in the weeks and months after a breach is discovered — the forensic investigations, the card scheme penalties, the FTC investigation, the state AG actions, the mandatory audits, and sometimes the loss of the right to process card payments at all.
Fine examples below use US figures (Visa, Mastercard, FTC, state AGs). The penalty mechanics vary by jurisdiction; the structure of consequences is the same.
This article walks through what non-compliance actually costs in the US, drawing on real enforcement cases and the mechanics of how PCI penalties work in practice.
Key takeaways
- PCI DSS fines don't come from a federal regulator — Visa and Mastercard levy them through your acquiring bank, typically $5,000-$100,000 per month for Level 1-2 violations.
- Target's 2013 breach cost the company over $200 million in direct settlements. Home Depot's 2014 breach cost more than $300 million. Equifax's 2017 breach settled for $700 million.
- Non-compliance consequences go beyond fines: forensic investigations, mandatory audits, card scheme penalties, FTC enforcement, state AG action, and potential loss of card processing rights.
- A data breach triggers additional penalties: card replacement costs ($5-10 per card), fraud reimbursement liability, and increased transaction fees.
- Descoping — removing card data from your environment entirely — is cheaper and more reliable than remediating a large compliance estate.
What Major US Breaches Actually Cost#
The biggest US payment breaches of the last decade put the scale of the problem in sharp relief.
Target suffered a breach over the 2013 holiday season that exposed the card data of approximately 40 million customers, along with personal information for another 70 million. Attackers had pivoted in through an HVAC vendor's compromised credentials, then moved laterally to the point-of-sale network. Direct costs settled with the card brands, banks, and state AGs ran to over $200 million. The CEO was forced out. Brand trust took years to rebuild.
Home Depot disclosed a similar breach the following year, exposing card data for around 56 million customers. The intrusion ran for five months before detection. Settlements with card-issuing banks, consumer class actions, and state AG offices pushed direct costs past $300 million.
Equifax's 2017 breach was broader than PCI alone — Social Security numbers, dates of birth, and driver's license numbers were all exposed for 147 million Americans, alongside payment card details for around 209,000. The Federal Trade Commission, the Consumer Financial Protection Bureau, and all 50 state AGs together extracted a settlement of approximately $700 million, including up to $425 million in consumer redress.
All three cases follow the same pattern: inadequate controls, breaches that went undetected too long, and consequences that dwarfed what the proper security measures would have cost.
How PCI DSS Fines Actually Work in the US#
There's a common misunderstanding about where PCI fines come from. They don't arrive as a direct letter from a federal regulator. Instead, Visa and Mastercard levy penalties through your acquiring bank, which then passes those costs straight to you as the merchant. The mechanism is contractual, not statutory — but the financial effect is identical.
The structure typically works like this: if you're found to be non-compliant, your acquirer (whether that's Stripe, Braintree, Cybersource, Adyen, Worldpay-FIS, or any of the others) notifies you and sets a deadline to achieve compliance. During that period, the card brands fine the acquirer for your non-compliance status, and those charges flow straight through to your business. Fees typically run from $5,000 to $100,000 per month for Level 1 and Level 2 violations, depending on the severity of the gaps and your merchant level.
The amounts escalate over time. Miss the first deadline and the monthly charge increases. At six months without resolution, card brands move to consider termination of your right to accept their cards — the ultimate penalty.
A breach changes the picture entirely. Once cardholder data has been compromised, additional penalty mechanisms kick in:
Card replacement costs are substantial and often overlooked. When cards are compromised, issuing banks have to replace them — and the cost per replacement card typically runs $5-10 each. A breach affecting 50,000 cards generates $250,000-$500,000 in replacement costs alone, charged back to the merchant who failed to protect the data.
Forensic investigation costs are mandatory, not optional. Whenever a breach is suspected, the card brands require a forensic audit conducted by a PCI Forensic Investigator. These investigations cost between $65,000 and $650,000 depending on the complexity of your environment and the scope of the breach. You don't get to choose whether to have one; it's a requirement.
Fraud liability is the longest-running cost. For a set period after a breach, non-compliant merchants can be held liable for fraudulent transactions on the compromised cards. This is separate from the fines and can run into six or seven figures for larger incidents.
Curious how Paytia fits in? Have a quick chat with us — we'll show you in 15 minutes whether we're a fit.
The Operational Consequences: What Disrupts Businesses Most#
For businesses with strong balance sheets, the fines may be survivable. What's harder to survive is what happens to your operations.
The most severe consequence is losing the right to process card payments entirely. Mastercard and Visa can, and do, terminate merchants' ability to accept their cards when non-compliance is persistent or when a breach is particularly serious. For any business that relies on card payments — almost every US business — this is existential.
Before it reaches that point, you'll face mandatory changes to how you operate. After a breach, card brands typically require you to move up to Level 1 PCI compliance — the most stringent tier. Level 1 requires an annual onsite assessment by a Qualified Security Assessor and quarterly network scans. These programs routinely cost $40,000-$130,000 per year to maintain in the US, on top of the initial remediation work that led to the upgrade requirement.
Your transaction costs will increase regardless. Acquiring banks treat non-compliant merchants as higher risk, and they price that risk into your per-transaction fees. A business processing $1 million per month in card transactions facing an additional 0.2-0.5% due to non-compliance status pays $2,000-$5,000 in extra monthly costs — indefinitely, until compliance is demonstrated and maintained.
The reputational damage is harder to put a number on but just as real. State data breach notification laws now apply in all 50 states. When that notification becomes public — and it usually does — customer trust erodes fast. Research consistently shows a meaningful percentage of consumers stop using companies that have suffered data breaches. For businesses where trust is central to the relationship — financial services, healthcare, professional services — customer attrition can exceed the direct financial penalties by a wide margin.
FTC and State AG Enforcement: The Other Half of the Bill#
The card scheme penalties are only one side of the bill. In the US, a payment data breach almost always triggers parallel enforcement from federal and state regulators.
The Federal Trade Commission has used its unfairness-and-deception authority under Section 5 of the FTC Act for years to pursue companies that failed to implement reasonable data security. The FTC's case history is extensive — Wyndham Worldwide, LabMD, and dozens of less well-known settlements have produced multi-year consent orders requiring ongoing third-party security audits, often for 20 years. The financial cost of those consent decrees, compounded across two decades, frequently exceeds the headline fine.
State attorneys general add another layer. California's AG has aggressively used the California Consumer Privacy Act (CCPA) and its successor CPRA to pursue companies whose breaches involve California residents — and given California's population, that's almost any breach. The CCPA's private right of action for breaches alone has produced settlements in the tens to hundreds of millions of dollars.
New York's AG uses the SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), which expanded breach notification requirements and imposes reasonable security standards on any business handling private information of New York residents.
Illinois adds the Biometric Information Privacy Act (BIPA), which carries statutory damages of $1,000-$5,000 per violation when biometric data is involved — increasingly relevant as more contact centers add voice biometric authentication to their payment flows.
Most state AGs participate in multistate settlements when a major breach occurs. The 2017 Equifax settlement involved all 50 state AGs jointly. For Target's 2013 breach, 47 state AGs reached a $18.5 million settlement separate from the card brand and federal actions. State AGs treat consumer data protection as a core priority, and they coordinate.
HIPAA Overlay: When PCI Meets Healthcare#
For US healthcare providers, the picture gets more complex. When a healthcare entity takes a card payment over the phone, the call often contains protected health information (PHI) alongside the payment data — patient names, dates of birth, treatment information. That overlap means a single breach can trigger both PCI DSS consequences and HIPAA penalties.
HIPAA fines through the Office for Civil Rights (OCR) currently top out at $1.5 million per violation category per year, with criminal penalties available for willful violations. A healthcare contact center that allows agents to hear card numbers is creating audio records that contain both PHI and PAN data — and unprotected storage of that audio is a violation of both standards.
The cleanest answer is the same one that works for non-healthcare contact centers: stop card data and PHI from ending up in the same recording in the first place.
What PCI Non-Compliance Looks Like for Typical US Businesses#
The headline cases attract media attention, but most PCI non-compliance situations don't involve Fortune 500 retailers. They involve small and mid-sized businesses that have grown quickly, added phone payment capabilities without thinking through the security implications, or inherited legacy systems that were never properly assessed.
A common scenario: a contact center starts recording calls to improve quality. Nobody thinks to pause recordings when customers read out their card number. Two years later, the business has thousands of hours of recordings containing unencrypted cardholder data on a server. When this surfaces during a PCI assessment, the remediation involves not just securing the system from then on, but dealing with the historic recordings that were never properly protected.
Another pattern that comes up repeatedly: a business uses a VoIP phone system and processes payments with agents who see and hear full card numbers on screen. When a QSA audits the environment, the entire phone system, all the servers it touches, every endpoint connected to the network, and every employee who handles calls is now in scope for PCI. What should be a contained compliance program becomes a six-figure exercise covering most of the business's infrastructure.
The Costs Add Up Faster Than Most Businesses Expect#
To put it in concrete terms, here's a realistic picture of what a breach and the resulting non-compliance process costs a mid-sized US business:
Monthly non-compliance fees from your acquirer during remediation: $6,000-$30,000 per month. If remediation takes six months, that's up to $180,000 in fees before any breach costs.
Mandatory forensic investigation: $65,000-$260,000 for a medium-complexity environment. More if your infrastructure is complex or geographically distributed.
Card replacement liability if you're found responsible: varies widely, but $65,000-$650,000 is realistic for a breach affecting tens of thousands of cards.
Remediation work — patching systems, implementing encryption, upgrading infrastructure: $25,000-$130,000 for a business of modest scale.
Ongoing Level 1 compliance program once you're required to move up: $40,000-$130,000 per year.
FTC consent decree obligations and state AG settlements: highly variable, but settlements of $500,000-$5 million are common for mid-sized businesses; major brands settle for tens or hundreds of millions.
For a business processing a few hundred thousand dollars per month in card transactions, the total exposure from a single breach can reach $650,000 to $1.3 million before reputational impact is factored in.
The Smarter Approach: Descoping Rather Than Remediating#
The most effective response to PCI compliance risk isn't trying to secure a complex, high-scope environment. It's reducing that scope so that most of your systems and processes simply don't touch cardholder data in the first place.
This is what descoping means in practice. When card data never enters your environment — never passes through your call recordings, never reaches your agents' desktops, never sits on your servers — those systems aren't in scope for PCI assessment. You can't fail an audit of infrastructure that has no cardholder data in it.
Paytia's approach is straightforward. When a customer pays by phone using Paytia's platform, their card details go straight from their phone keypad to Paytia's PCI DSS Level 1 certified environment. DTMF masking suppresses the tones representing the card number — your agent can't hear them, your call recording system can't capture them. The payment processes, the customer gets confirmation, and your environment has never seen the card data.
The compliance implications are significant. A US business that previously had 50 systems in scope for PCI assessment because agents were handling card payments can reduce that number to near zero. The monthly assessment cycle, the quarterly network scans, the annual QSA visits — all of that applies to a much smaller footprint, or potentially none of your systems at all.
We've seen businesses cut their annual PCI compliance costs by 70-90% through descoping alone. Not by investing in more security technology for their existing environment, but by keeping card data out of that environment entirely.
Waiting Is the Expensive Option#
The businesses that end up with the worst outcomes tend to be the ones that knew they had compliance gaps but kept deferring the fix. The monthly non-compliance fee feels manageable. The breach feels unlikely. The QSA audit is still six months away.
Then something goes wrong — a breach, a complaint from a card issuer, a failed audit — and suddenly they're negotiating with their acquirer, funding a forensic investigation, fielding inquiries from the FTC and state AGs, and wondering whether they'll still be able to process card payments in three months.
The economics of prevention versus remediation aren't close. A proper descoping exercise and the right payment infrastructure costs a fraction of what it costs to deal with the aftermath of a breach. It removes not just the fine risk, but the operational disruption, the reputational damage, and the years of heightened compliance scrutiny that follow a serious incident.
If your contact center or telephone payment process involves agents hearing card data, or if you're recording calls without suppressing cardholder information, that's where to start. Talk to Paytia about how descoping your phone payments works and what it would take to reduce your compliance risk from day one.
Visa and Mastercard Fine Structures: The Detail Businesses Don't Expect#
The card brand fine structures are more granular than most US businesses realize, and understanding how they're applied helps explain why non-compliance situations can escalate so quickly.
Visa operates a tiered compliance program. Tier 1 non-compliance — businesses out of compliance but with no breach — generates monthly fees starting at $5,000 per month. These increase progressively at 30, 60, and 90 days. At 180 days without resolution, Visa can move to disqualification proceedings, which would remove your ability to accept Visa cards.
Mastercard's structure is similar but has historically been slightly more aggressive at the escalation points. The fees are applied to your acquirer first, but most US acquiring agreements include pass-through provisions for compliance-related charges, so the cost lands with the merchant.
Importantly, these fees are applied per violation category, not as a single monthly total. A business with multiple compliance gaps — inadequate encryption, insufficient access controls, and missing audit logging — can face multiple concurrent fine tracks. That's how non-compliance situations that seem manageable on paper become significant in practice.
American Express operates a similar structure through its OptBlue and direct acquirer programs. For businesses with significant Amex transaction volumes, a separate compliance track with Amex adds another layer to the remediation process.
What Happens When a QSA Finds Non-Compliance#
Qualified Security Assessors conduct onsite PCI assessments for Level 1 merchants and are increasingly used by Level 2 merchants as well. Understanding what happens when they find a problem matters, because the process isn't the same as being fined on the spot.
When a QSA identifies a compliance gap, they issue a finding in their report. If the gap is material, it results in a failed assessment — no Report on Compliance (RoC) for that year. The merchant's acquiring bank is notified, and the clock starts on the remediation timeline.
The QSA will typically provide a remediation roadmap — a list of specific controls that need to be implemented or verified before a passing assessment can be issued. The business then has to remediate those gaps and either bring the QSA back for a follow-up assessment or, in some cases, demonstrate compliance through evidence submission.
This process takes time. Between the failed assessment, the remediation work, and the follow-up validation, it's common for three to six months to pass — during which the monthly non-compliance fees keep running.
For US businesses that have never been through a formal PCI assessment, a QSA audit is often the moment when the actual scope of their compliance obligations becomes clear. The finding that agents can hear card numbers on calls, or that call recordings contain unmasked PAN data, is a significant escalation from "we haven't thought about this" to "we have a documented compliance failure with a remediation deadline."
Building the Right Foundation Before Problems Arise#
The US businesses that handle PCI compliance most effectively are the ones that built it into their payment architecture from the start, rather than trying to retrofit it after a QSA visit or a breach.
For contact centers specifically, this means making sure that agents never see or hear card data. Not through policy alone — policies fail — but through technology that makes it structurally impossible for card data to enter the agent environment. DTMF masking for phone payments, secure payment links for digital wallet or card-not-present transactions, and IVR payment flows for self-service channels all achieve this in different ways.
The compliance cost savings from getting this right upfront are substantial. A business that descopes its contact center from card data handling before its first QSA audit faces a simpler, cheaper assessment than one that has to remediate years of accumulated exposure.
Speak to Paytia if you're working through a compliance assessment or building new payment capabilities. We've helped American businesses in financial services, utilities, healthcare, and contact center environments sort out their phone payment security, and we can walk you through what the right architecture looks like for your specific situation.
Frequently Asked Questions#
What's the maximum PCI DSS fine?
There's no fixed maximum. Card brands can levy fines of up to $100,000 per month per violation through your acquirer, and those charges run until compliance is achieved. Separately, FTC consent orders, state AG settlements, and CCPA private right of action settlements can run into the millions or hundreds of millions for serious breaches.
Who actually pays the PCI fine — the business or the bank?
Card brands fine the acquiring bank, which passes the cost to the merchant. Practically speaking, the business pays — the acquirer is just the intermediary in the process.
Can a US business lose the ability to accept card payments?
Yes. Mastercard and Visa can terminate a merchant's right to accept their cards for persistent non-compliance or after a serious breach. It's the nuclear option, but it happens.
Is PCI DSS a legal requirement in the US?
PCI DSS itself is a contractual requirement, not a federal law — imposed by the card brands through your agreement with your acquiring bank. However, a breach that exposes personal data triggers FTC unfair-practices authority, state data breach notification laws in all 50 states, and state-specific privacy laws like CCPA, SHIELD Act, and BIPA — all of which are legal requirements with statutory penalties.
How does Paytia reduce PCI compliance burden?
For a fuller picture of what counts as a breach, see our glossary entry on PCI DSS non-compliance.
Paytia uses DTMF masking and channel separation as part of Paytia's PCI DSS v4 platform to keep card data out of your environment entirely. When your systems never touch cardholder data, they don't fall within PCI scope — which means lower compliance costs, fewer systems to audit, and significantly reduced breach risk.
Related reading#
- What Is PCI DSS? A Plain-English Guide
- The 12 PCI DSS Requirements
- How Much Does PCI Compliance Cost?
- PCI Compliance and Call Recording
- What Is DTMF?
Curious how Paytia fits in? Have a quick chat with us — we'll show you in 15 minutes whether we're a fit.
