PCI DSS Fines
Contractual penalties assessed by payment card brands against merchants who fail to comply with Payment Card Industry Data Security Standards.
What It Is
PCI DSS fines are contractual penalties imposed by payment card networks (Visa, Mastercard, American Express, Discover) through acquiring banks on merchants who suffer a payment card data breach and are found to be non-compliant with Payment Card Industry Data Security Standards. These are not government-imposed fines but rather contractual assessments flowing through the merchant services agreement.
Assessments can include fines for non-compliance (typically $5,000-$100,000 per month until compliance is achieved), costs of forensic investigation mandated by the card brands, fraud losses on compromised cards charged back to the merchant, card reissuance costs ($3-$10 per compromised card), and increased transaction processing fees. For a significant breach, total PCI assessments can reach several million dollars.
Cyber policies address PCI fines under various names, including payment card industry fines and assessments, payment card loss, or contractual penalties. Coverage is typically subject to a sublimit and may require that the insured was PCI DSS compliant at the time of the breach as a condition of coverage. Some policies only cover PCI assessments resulting from a security breach, not from routine non-compliance audits.
Why It Matters for Brokers
Any commercial client that accepts credit card payments faces PCI DSS exposure, from a single-location restaurant to a large retail chain. Brokers placing cyber coverage for merchants must verify that PCI fines and assessments are covered, check the sublimit, and understand the compliance conditions. Many brokers overlook PCI coverage because the fines flow through the merchant services agreement rather than from a government regulator.
Real-World Example
A restaurant group with 12 locations suffers a point-of-sale breach compromising 85,000 payment cards. The acquiring bank passes through card brand assessments totaling $1.2M: $425,000 in fraud chargebacks, $340,000 in card reissuance costs at $4 per card, a $250,000 non-compliance fine, and $185,000 for the mandated PCI forensic investigation. The cyber policy's PCI fines sublimit of $500,000 covers only a portion, leaving $700,000 uninsured.
Common Mistakes
- 1Placing a cyber policy without PCI fines coverage for a client that processes credit card payments, leaving a major category of breach costs uninsured.
- 2Not reviewing the PCI compliance condition in the policy, which can be used to deny claims if the insured was non-compliant at the time of the breach.
How brokerageaudit.com Handles This
brokerageaudit.com's Submission Intake module asks whether the client processes payment cards and, if so, flags PCI fines coverage as a required element in the cyber placement. Policy Checker compares the PCI sublimit against the client's annual card transaction volume to assess adequacy and highlights any compliance-condition language that could affect claim recovery.