This website uses cookies to better the user experience of its visitors. Where applicable, this website uses a cookie control system, allowing users to allow or disallow the use of cookies on their computer/device on their first visit to the website. This complies with recent legislative requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer/device. To learn more click Cookie Policy.

Privacy preference center

Cookies are small files saved to a user’s computer/device hard drive that track, save, and store information about the user’s interactions and website use. They allow a website, through its server, to provide users with a tailored experience within the site. Users are advised to take necessary steps within their web browser security settings to block all cookies from this website and its external serving vendors if they wish to deny the use and saving of cookies from this website to their computer’s/device’s hard drive. To learn more click Cookie Policy.

Manage consent preferences

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Cookies list
Name _rg_session
Provider rubygarage.org
Retention period 2 days
Type First party
Category Necessary
Description The website session cookie is set by the server to maintain the user's session state across different pages of the website. This cookie is essential for functionalities such as login persistence, ensuring a seamless and consistent user experience. The session cookie does not store personal data and is typically deleted when the browser is closed, enhancing privacy and security.
Name m
Provider m.stripe.com
Retention period 1 year 1 month
Type Third party
Category Necessary
Description The m cookie is set by Stripe and is used to help assess the risk associated with attempted transactions on the website. This cookie plays a critical role in fraud detection by identifying and analyzing patterns of behavior to distinguish between legitimate users and potentially fraudulent activity. It enhances the security of online transactions, ensuring that only authorized payments are processed while minimizing the risk of fraud.
Name __cf_bm
Provider .pipedrive.com
Retention period 1 hour
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to support Cloudflare Bot Management. This cookie helps to identify and filter requests from bots, enhancing the security and performance of the website. By distinguishing between legitimate users and automated traffic, it ensures that the site remains protected from malicious bots and potential attacks. This functionality is crucial for maintaining the integrity and reliability of the site's operations.
Name _GRECAPTCHA
Provider .recaptcha.net
Retention period 6 months
Type Third party
Category Necessary
Description The _GRECAPTCHA cookie is set by Google reCAPTCHA to ensure that interactions with the website are from legitimate human users and not automated bots. This cookie helps protect forms, login pages, and other interactive elements from spam and abuse by analyzing user behavior. It is essential for the proper functioning of reCAPTCHA, providing a critical layer of security to maintain the integrity and reliability of the site's interactive features.
Name __cf_bm
Provider .calendly.com
Retention period 30 minutes
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to distinguish between humans and bots. This cookie is beneficial for the website as it helps in making valid reports on the use of the website. By identifying and managing automated traffic, it ensures that analytics and performance metrics accurately reflect human user interactions, thereby enhancing site security and performance.
Name __cfruid
Provider .calendly.com
Retention period During session
Type Third party
Category Necessary
Description The __cfruid cookie is associated with websites using Cloudflare services. This cookie is used to identify trusted web traffic and enhance security. It helps Cloudflare manage and filter legitimate traffic from potentially harmful requests, thereby protecting the website from malicious activities such as DDoS attacks and ensuring reliable performance for genuine users.
Name OptanonConsent
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonConsent cookie determines whether the visitor has accepted the cookie consent box, ensuring that the consent box will not be presented again upon re-entry to the site. This cookie helps maintain the user's consent preferences and compliance with privacy regulations by storing information about the categories of cookies the user has consented to and preventing unnecessary repetition of consent requests.
Name OptanonAlertBoxClosed
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonAlertBoxClosed cookie is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It ensures that the cookie consent message is not shown again to the user, enhancing the user experience by preventing repetitive notifications. This cookie helps manage user preferences and ensures compliance with privacy regulations by recording when the notice has been acknowledged.
Name referrer_user_id
Provider .calendly.com
Retention period 14 days
Type Third party
Category Necessary
Description The referrer_user_id cookie is set by Calendly to support the booking functionality on the website. This cookie helps track the source of referrals to the booking page, enabling Calendly to attribute bookings accurately and enhance the user experience by streamlining the scheduling process. It assists in managing user sessions and preferences during the booking workflow, ensuring efficient and reliable operation.
Name _calendly_session
Provider .calendly.com
Retention period 21 days
Type Third party
Category Necessary
Description The _calendly_session cookie is set by Calendly, a meeting scheduling tool, to enable the meeting scheduler to function within the website. This cookie facilitates the scheduling process by maintaining session information, allowing visitors to book meetings and add events to their calendars seamlessly. It ensures that the scheduling workflow operates smoothly, providing a consistent and reliable user experience.
Name _gat_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _gat_UA-* cookie is a pattern type cookie set by Google Analytics, where the pattern element in the name contains the unique identity number of the Google Analytics account or website it relates to. This cookie is a variation of the _gat cookie and is used to throttle the request rate, limiting the amount of data collected by Google Analytics on high traffic websites. It helps manage the volume of data recorded, ensuring efficient performance and accurate analytics reporting.
Name _ga
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga cookie is set by Google Analytics to calculate visitor, session, and campaign data for the site's analytics reports. It helps track how users interact with the website, providing insights into site usage and performance.
Name _ga_*
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga_* cookie is set by Google Analytics to store and count page views on the website. This cookie helps track the number of visits and interactions with the website, providing valuable data for performance and user behavior analysis. It belongs to the analytics category and plays a crucial role in generating detailed usage reports for site optimization.
Name _gid
Provider rubygarage.org
Retention period 1 day
Type First party
Category Analytics
Description The _gid cookie is set by Google Analytics to store information about how visitors use a website and to create an analytics report on the website's performance. This cookie collects data on visitor behavior, including pages visited, duration of the visit, and interactions with the website, helping site owners understand and improve user experience. It is part of the analytics category and typically expires after 24 hours.
Name _dc_gtm_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _dc_gtm_UA-* cookie is set by Google Analytics to help load the Google Analytics script tag via Google Tag Manager. This cookie facilitates the efficient loading of analytics tools, ensuring that data on user behavior and website performance is accurately collected and reported. It is categorized under analytics and assists in the seamless integration and functioning of Google Analytics on the website.

PCI DSS Non-compliance: Fees and Other Consequences You Need to Know About

  • 12058 views
  • 7 min
  • Jul 02, 2020
Anastasiia S.

Anastasiia S.

Copywriter

Elena K.

Elena K.

Head of Quality Assurance office

Share

The Payment Card Industry Data Security Standard (PCI DSS) was established by Visa, Mastercard, and other credit card giants back in the early 2000s to protect cardholders’ information. As an international standard, it requires any company that somehow deals with clients’ credit card information to stick to its requirements. If they fail to do this, companies are held accountable and face penalties.

In our article, we have a close look at fees and other common consequences of PCI non-compliance.

#1 Fees and penalties for non-compliance

The size of the non-compliance fee that the PCI DSS Council imposes on a company depends on two factors.

The first is the company’s size, which is determined by the number of transactions it processes per year. Based on this factor, all companies are divided into four levels. Fourth-level companies usually don’t face fines, while first-level companies face the greatest financial responsibility for non-compliance.

The second factor that influences the sum of a fine is the period of non-compliance with the standard. Companies that haven’t been compliant for a month pay less than those that have been non-compliant for seven months, for instance. Fines are imposed monthly until a company meets the standard.

In the image below, you can see how the size of a fine varies for first- and second-level companies:

pci dss non compliance fee

#2 Revoked right to process transactions

An acquiring bank is a bank that processes your company’s transactions, and it’s that bank’s duty to keep track of your PCI DSS compliance. If a bank discovers that your company isn’t compliant, they must inform the council about it. Once this information is disclosed, the council will insist on you becoming compliant. However, this is a long and costly process, so you might not be forced to do it immediately.

However, if you don’t move towards becoming PCI DSS compliant, you can eventually be denied the right to process transactions. This rejection might originate from either the council or your acquiring bank. 

#3 Fees and penalties for data loss

If hackers manage to steal your customers’ data, you’re responsible for the leakage even if you’re PCI compliant. In this case, you’ll need to compensate up to $90 per compromised credit card record. Moreover, a security breach leads to a fine of up to half a million dollars depending on the severity of the case. However, the total amount of the fine can exceed even your worst expectations.

Target, one of the biggest retail corporations in the USA, experienced a hacker attack in 2013. During three weeks of manipulations by a hacker, Target lost credit card data of 40 million customers. As a result, the company spent almost $150 million to settle the issue. What’s most shocking about this situation is that Target had installed new malware detectors in their security system six months before the attack.

Another example is Equifax, an American credit reporting agency, which is held accountable for losing the personal data of 147 million people back in 2017. To settle the consequences of the data breach, Equifax agreed to pay more than $550 million.

There are many more examples of large corporations that, despite their advanced security systems, became victims of hackers.

#4 Costs of potential lawsuits

Another consequence your company might experience is lawsuits, and there are several ways you can face them:

  • Data breach. If your actions somehow lead to a data breach, your customers might want to take legal actions against your company for letting this happen. The recent case with UK EasyJet airlines shows that such situations can be really hard for companies to handle, especially if one company must defend itself against a class-action lawsuit supported by more than nine million customers.
  • PCI DSS non-compliance can frequently become a reason for credit card associations to sue your company. Or an acquiring bank can be a complainant in court if they decide your company is accountable for any issues connected with the insecurity of cardholders’ data. This was the case when two American banks sued Target and Trustwave Holdings, Inc to compensate $5 million for the consequences of the 2014 Target data breach.
  • Lawsuits filed by you. Another scenario is if your company files a lawsuit against an acquiring bank or credit card association claiming their penalties aren’t fair. A similar lawsuit was initiated by Genesco against Visa and Mastercard. Genesco, a large American branded footwear retailer, sued the credit card companies for imposing a fine for data leakage without real evidence. However, even if the law is on your side, it will take a lot of time and effort to prove your point.

#5 Lost reputation

Although cases of PCI non-compliance aren’t revealed to the public unless they’re really serious, your company’s reputation still might suffer. Acquiring banks and credit card companies will hardly bother to ruin your reputation. But sooner or later, your customers can find out that your company isn’t reliable in terms of data security. Once that happens, they’ll think twice before paying for your products or services. Moreover, they’ll hardly recommend you to their friends and family. Thus, you can lose your existing customers as well as potential ones.

If your company is caught for being PCI non-compliant or people start discussing any issues related to possible data breaches for which you are at fault, here are some tips to save your reputation:

  • Look for customer-focused solutions. Be customer-oriented whatever it takes. Think of how you can stop the data breach or compensate your customers for lost information. Also, consider ways to better protect your customers’ information in the future.
  • Make fast yet thoughtful decisions. Being guilty of losing your customer’s data isn’t enjoyable and can put pressure on your company’s management. Still, you should try to improve the situation as fast as possible.
  • Become PCI DSS compliant. This standard is the only one of its kind that guarantees your company is safe to cooperate with when it comes to processing information. Becoming PCI DSS compliant can minimize the possibility of hacker attacks and data loss in the future.

#6 Increasing customer churn

Surveys by BusinessWire reveal that up to 85 percent of consumers would stop their cooperation with a company after a major data breach. Can you imagine losing 85 percent of your customers? How much money and effort would you have to spend to return at least part of those dissatisfied consumers?

In the infographics below, you can see possible rates of customer churn for a PCI non-compliant company as well as other negative consequences your company can experience.

pci dss non compliance penalties

#7 Decreased revenue

This consequence is closely related to increased customer churn. Once you lose customers, you lose profits. You’ll also need to spend money on PCI non-compliance fees, compensation, and other issues to recover from your failure to meet the standard.

How to avoid fees and other consequences of PCI non-compliance?

Obtaining and maintaining PCI DSS compliance can cost companies hundreds of thousands of dollars. However, non-compliance can turn out to be several or even a dozen times more expensive. So take care of meeting the standard to ensure the security of your customers’ data as well as your business.

CONTENTS

FAQ

  1. Non-compliance can result in different troubles for your business, the most common of which are:

    • Monthly fines 
    • Revoked right to process transactions
    • Penalties for data breaches
    • Lawsuits
    • Reputational losses
    • Customer churn
    • Decreased revenue
  2. The size of a fine depends on the size of your business as well as the period of non-compliance. Fines vary from $5 to $100,000 per month. If you want to check your company for PCI compliance, contact us for a professional audit.

  3. Examples of large corporations that have experienced legal proceedings connected with PCI DSS non-compliance demonstrate that there are two kinds of lawsuits:

    • Lawsuits filed by a company’s customers
    • Lawsuits filed by an acquiring bank or by credit card companies

Authors:

Anastasiia S.

Anastasiia S.

Copywriter

Elena K.

Elena K.

Head of Quality Assurance office

Rate this article!

Nay
So-so
Not bad
Good
Wow
9 rating, average 4.89 out of 5

Share article with

Comments (0)

There are no comments yet

Leave a comment

Subscribe via email and know it all first!