The PCI DSS is not a law. It's an industry standard created by the five major credit card companies: Visa, Mastercard, American Express, Discover Financial, and JCB International. These companies established PCI DSS to protect payment card data and reduce fraud across the payment industry.
While PCI DSS isn't legally mandated, non-compliance can result in serious financial and business consequences. If you experience a data breach while non-compliant, penalties can include:
- Forensic audit costs (often $50,000-$500,000+)
- Card replacement costs for all affected customers
- Liability for fraudulent transactions on compromised cards
- Legal costs and potential lawsuits from affected customers
Business impact:
- Significant brand and reputation damage
- Loss of customer trust and business
- Potential regulatory investigation depending on your industry
- Insurance claims may be denied if you weren't compliant
Key point
Although PCI DSS compliance is contractually required through your merchant agreement rather than legally mandated, the financial and business risks of non-compliance can be severe enough to threaten your business's survival. Most payment processors require compliance as a condition of providing payment processing services.