PCI DSS breach cost: $5K-$100K monthly fines + $5-$15 per card reissuance.

PCI DSS is not a law. It is a contractual standard owned by the PCI Security Standards Council, which is jointly funded by Visa, Mastercard, American Express, Discover, and JCB. Enforcement flows through the standard contractual structure: a merchant signs an acquiring agreement with a bank or payment processor; the acquiring agreement requires PCI DSS compliance; the acquirer's relationship with each card brand requires the acquirer to enforce PCI DSS on its merchants; the card brands monitor compliance through periodic audits and enforce non-compliance through the acquiring relationship.

The contractual structure has two material consequences for breach cost. First, the PCI SSC does not directly fine merchants. The card brands impose penalties on the acquirer, and the acquirer typically passes those penalties through to the merchant under the acquiring agreement. The pass-through is not automatic and frequently produces dispute resolution between the merchant and the acquirer. Second, the contractual nature limits judicial review of penalties: a merchant disputing a penalty assessment is in a contractual dispute with the acquirer, not an administrative-law dispute with the regulator. The remedies available are correspondingly different.

For breach response, the architecture means that breach cost flows through the acquiring relationship for everything except the public-statute components (state breach notification, FTC Section 5 actions, state AG enforcement). The breach playbook for a card-data-only breach is heavily focused on the acquiring-bank relationship management, including engagement of an acquiring-bank-approved PCI Forensic Investigator within hours of detection.

The card-brand penalty schedules are confidential and are not published by the PCI SSC. Public-record breach settlements indicate the following typical structure for an Account Data Compromise Event under the Visa programme: an initial fine of $5,000 per month per merchant ID during the investigation period, escalating to $25,000 to $100,000 per month if PCI DSS non-compliance is confirmed and not remediated, plus a per-card forensic-investigation reimbursement clause of $5 to $25 per exposed account, plus a per-card reissuance reimbursement clause of $5 to $15 per card depending on issuer type.

Mastercard's Alternative Recovery Offers programme provides a comparable structure with similar magnitudes. American Express and Discover have parallel structures with somewhat different administrative mechanics. For a merchant with substantial multi-brand transaction volume, the four (or five) card-brand penalty streams stack, producing total monthly penalty exposure that can reach mid-six-figures for a Tier 1 retailer with multi-month exposure.

For the breach-cost evidence base, the most useful public document is the Target SEC 10-K disclosure of the $67M Visa Account Data Compromise settlement, which provides line-item visibility into the monthly fine accumulation across 2014-2015 plus the per-card reissuance reimbursement. The Target case has been studied extensively as the worked example of a fully-loaded card-brand breach cost calculation.

For any suspected Account Data Compromise Event involving 1,000 or more accounts at a Level 1 or Level 2 merchant, the card brands require engagement of a PCI Forensic Investigator. The PFI must be selected from the PCI SSC-approved list, must be engaged within 72 hours of breach confirmation, and must complete a comprehensive forensic investigation with specific deliverables.

PFI investigation cost runs $200K to $2M depending on scope. For a small breach at a single point-of-sale terminal, costs run at the low end. For a multi-store, multi-month POS breach (Target, Home Depot scale), costs run at the high end. The PFI report is submitted to the card brands and to the acquiring bank, with extensive detail on the attack vector, the data accessed, the scope of compromise, the controls that failed, and the remediation steps taken. The report becomes the primary evidence base for the card-brand penalty calculation and for any subsequent litigation.

Beyond the direct PFI cost, the merchant typically engages parallel non-PFI forensic counsel for litigation-privileged investigation. The dual-investigation structure is standard for any large card-data breach because the PFI report is not privileged and may be discoverable in subsequent class-action litigation. Total forensic spend in a major card-data breach therefore commonly runs $500K-$5M across the two parallel investigations.

Card reissuance is the largest single cost line in a typical card-data breach. The economics are straightforward: when a breach exposes card numbers, the affected issuers cancel and reissue the cards to prevent fraud. The per-card reissuance cost runs $5 to $15 depending on card type (basic vs premium with metal construction), embossing complexity, mailing class, and contact-center support for activation. For a card-issuer reissuing 10 million cards, baseline reissuance cost is $50M to $150M.

The PCI DSS framework provides for reimbursement from the breached merchant to the issuer through the Account Data Compromise Event programme. The reimbursement is typically $1 to $5 per card, materially below the issuer's actual reissuance cost. The difference is absorbed by the issuer as fraud-prevention expense. The merchant's exposure to direct issuer claims (outside the card-brand programme) was historically limited but has expanded since the 2015 amendments to the Visa and Mastercard rules that allow more direct issuer recovery of reissuance cost.

For card-issuing banks, the reissuance cost is one of the most painful breach-cost lines because it is incurred for a third-party breach. The bank had nothing to do with the breach but bears the operational cost of the response. Several major card issuers maintain dedicated breach-response teams whose entire workload is processing reissuance events triggered by merchant breaches. The structural unfairness of the cost allocation has been a persistent source of friction between issuers and merchants in the PCI DSS ecosystem.

PCI DSS 4.0, fully effective 31 March 2025, introduces material structural changes that affect breach cost calculations. The most consequential changes are the move toward continuous compliance (rather than point-in-time annual assessment), expanded requirements for multi-factor authentication, new requirements for phishing-resistant authentication on administrative access to cardholder data environments, and explicit requirements for application-layer security testing.

The breach-cost implication of continuous compliance is that a breach occurring in a previously-compliant environment now requires demonstration that compliance was maintained through the moment of breach, not just at the most recent annual assessment. This raises the evidentiary bar for merchants seeking to avoid penalty escalation. The PFI report under PCI DSS 4.0 must specifically address the continuous-compliance question, which has expanded the typical PFI investigation scope by approximately 20-30% with corresponding cost increase.

For merchants planning around PCI DSS 4.0 compliance, the annual ongoing cost has risen approximately 15-30% from the 3.x baseline depending on the maturity of the existing compliance programme. The investment is being absorbed across the merchant base with relatively limited pushback, partly because the alternative (non-compliance and elevated breach risk) is materially more expensive.