Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
The Payment Card Industry Data Security Standard (PCI DSS) is a broad set of requirements for keeping credit card information safe. A recent survey discovered that over half of American cardholders have been hit by fraudulent credit card charges multiple times. In fact, credit card fraud in the United States jumped from 275,000 cases in 2019 to nearly 475,000 in 2024. Data security is more important than ever, but is PCI compliance required by law?
PCI DSS isn’t a government standard, so there’s no legal requirement for businesses to follow its rules. No government agency is going to send agents to your office to audit your records for PCI compliance. That said, following the PCI DSS is essential for the vast majority of retailers, restaurants, e-commerce businesses, and healthcare providers in the United States.
To understand why PCI compliance isn’t a law, you need to understand the difference between laws and standards:
Laws and regulations come from U.S. courts or government agencies. In contrast, standards can come from non-profit or private organizations.
The PCI DSS framework was created by the PCI Security Standards Council, an international group of credit card networks and advisory organizations. The founding members of the PCI SSC were Visa, American Express, Mastercard, Discover, and JCB International.
Even though PCI DSS isn’t a law, it’s not exactly optional, either. If your business accepts credit cards, debit cards, or mobile payments, you have to follow PCI DSS requirements.
PCI compliance is mandatory for a wide range of industries and organizations:
Even smaller organizations that process payments using point-of-sale terminals must comply with PCI requirements based on transaction volume. If you want the revenue that comes with credit cards and mobile apps, you don’t have a choice: It’s PCI or the highway.
The PCI SSC doesn’t oversee PCI compliance directly. Instead, each card brand manages the acquirers and merchants that are under its network. Visa, Discover, and Mastercard even have slightly different validation requirements for PCI compliance levels.
If your business experiences a data breach or another serious PCI violation, here’s what happens:
Do card networks and acquiring banks have the authority to issue and collect these fines? Yes, for two reasons.
Before your company can accept credit card payments, it must partner with an acquiring bank, the middleman between merchants and major card networks like Visa and Mastercard. As part of this process, the acquirer creates a merchant account for your business. All of the money you make from every transaction is deposited into this bank account.
If you get hit by a penalty for PCI DSS non-compliance, it’s easy for the acquirer to simply withdraw the necessary funds from your merchant account. If there’s not enough money to cover the fees, the bank can take your business to court.
When you partner with an acquiring bank — even online payment providers like Stripe and PayPal — you have to sign a merchant service agreement. This agreement is a legally binding contract, and it outlines your responsibilities.
All MSAs include a section on payment security and PCI DSS compliance. Many also have clauses for indemnification and legal liability. The contract outlines all fees, including penalties for early contract termination, and details regarding PCI violations.
This adds a small wrinkle to the question at the beginning of the article. Is PCI compliance required by law? Not in the sense of government enforcement, but yes, from the perspective of contract laws and your merchant agreement.
Each card network sets its own rules for handling PCI compliance violations. The costs depend on the nature of the failure, how severe it is, and how well your organization has complied with PCI rules in the past.
If a PCI failure is identified during an external audit of your systems, card networks often require remediation before authorizing you to keep processing transactions. This is why many organizations schedule an annual PCI compliance risk assessment or have continuous compliance monitoring platforms.
Data breaches, improper access to cardholder data, and other serious violations of PCI compliance laws can result in fines. The cost of PCI fines can reach 100,000 or more. The more cardholder data is exposed, the higher the penalties.
Organizations that cause egregious PCI failures or repeatedly fail to implement data security best practices can lose the ability to process payment cards at all. This can have a chilling effect on your relationship with consumers and business clients.
Data breaches can also incur legal fees and penalties. The sensitive nature of credit card data and the fact that breaches often affect thousands of people can make the final cost of PCI violations staggering. In 2008, Heartland Payment Systems paid over $12 million to Visa and Mastercard for a data breach, but the final cost of the breach was over $125 million.
Why does your business need PCI compliance? If your answer is “to avoid penalties,” you’re missing the forest for the trees. Implementing PCI cybersecurity requirements is more important because it protects your data, your systems, your clients, and your reputation. Learn more about the power of PCI compliance automation with Compyl.
