PCI DSS Non-Compliance Cost Calculator
Estimate the cost of PCI DSS non-compliance after a payment-card breach: the monthly acquirer/brand fines that accrue until you are compliant again, plus the cost of reissuing the exposed cards. PCI penalties are contractual (set by the card brands and your acquiring bank), not statutory — the default ranges below are widely reported, not published thresholds. Every figure is editable. Informational, not legal or contractual advice. Figures as of Jun 25, 2026 — sources.
Cost breakdown
| Component | Calculation | Estimated cost |
|---|---|---|
| Monthly non-compliance fines | 3 months × $25,000 | $75,000 |
| Card reissuance | 50,000 cards × $5 | $250,000 |
| Total | $325,000 |
Forensic investigation (a PCI Forensic Investigator engagement), fraud losses and re-validation costs are not broken out separately — fold them into a longer fines window or a higher per-card figure if you want them included.
Total = ( months × monthly fine ) + ( cards reissued × cost per card )
Default ranges (reported, not statutory): monthly fine $5,000–$100,000 · per card $3–$10
How it works
The Payment Card Industry Data Security Standard (PCI DSS) is the security baseline every business that stores, processes or transmits cardholder data is required to meet. The important thing to understand about its penalties is that they are contractual, not statutory. There is no government fine for "breaching PCI DSS". Instead, the card brands — Visa, Mastercard, American Express, Discover and JCB — impose fines on the acquiring banks that sponsor merchants, and those banks pass the cost down to the merchant through the merchant services agreement. So the chain of liability runs brand → acquirer → you, and the exact numbers live in private contracts and the brands' confidential operating rules rather than in any public statute. The figures used here are widely reported ranges, supplied as editable defaults precisely because no single "official" number exists.
Two streams dominate the cost. The first is the monthly non-compliance fine. After a card-data breach, or when a merchant is found non-compliant, the acquirer can be fined a recurring monthly amount — commonly reported between $5,000 and $100,000 — that continues every month until the merchant demonstrates a return to compliance. These fines often escalate: the longer the non-compliance lasts, the larger the monthly figure becomes. That open-ended, time-based structure is why the "months of fines" input is the single most sensitive lever in the model.
The second stream is card reissuance. When a breach exposes payment-card numbers, the issuing banks must produce and mail replacement cards to every affected customer, and they recover that expense — typically $3 to $10 per card, covering card production, postage, administrative handling and fraud monitoring — back through the card brands to the breached merchant's acquirer. Because this cost is multiplied by the number of cards exposed, it becomes the largest single line for any sizeable card breach: a breach touching 50,000 cards at $5 a card is already $250,000 before a single monthly fine is counted. The calculator simply adds the two streams: months × monthly fine, plus cards × cost per card.
Beyond these two, a real PCI incident usually also triggers a mandatory forensic investigation by a PCI Forensic Investigator, fraud-loss liability, and the internal cost of remediation and re-validation. This tool does not break those out as separate lines; if you want them included, the cleanest approach is to extend the fines window or raise the per-card figure to absorb them, keeping the model transparent. This estimator is informational and is not legal or contractual advice. The numbers that actually bind you are in your acquirer agreement and the card brands' rules, and they vary enormously by merchant level, transaction volume and the facts of the breach. Use this to build a planning range, not a prediction.
A worked example
Take a mid-sized merchant that suffers a card breach and stays non-compliant for 3 months at a $25,000/month fine, with 50,000 cards exposed at $5 each to reissue.
- Monthly fines = 3 × $25,000 = $75,000
- Card reissuance = 50,000 × $5 = $250,000
- Total = $75,000 + $250,000 = $325,000
The reissuance dominates here, as it usually does. Push the fine window from 3 months to 9 — a realistic scenario if remediation drags — and the fines triple to $225,000, overtaking the reissuance cost. Change any of the four inputs above and the breakdown updates instantly, so you can see which lever moves your exposure most. To estimate the cost of notifying the affected cardholders, use the breach notification cost calculator; for the full operational cost of the incident, the data breach cost estimator.
Frequently asked questions
Are PCI DSS fines set by law?
No. Unlike GDPR or HIPAA, PCI DSS is not a statute and its penalties are not government fines. They are contractual: the card brands (Visa, Mastercard and others) levy fines on your acquiring bank for non-compliance after a card-data breach, and the acquirer passes them on to you under your merchant agreement. The amounts here — $5,000–$100,000 per month, $3–$10 per reissued card — are widely reported ranges, not published thresholds.
What drives the total cost?
Three main streams: monthly fines that accrue while you remain non-compliant; the cost of reissuing every payment card exposed in the breach (the issuing banks bill this back through the brands); and forensic investigation (a PCI Forensic Investigator engagement) plus fraud losses. This tool models the first two explicitly and lets you fold the rest into the per-card figure or a longer fines window.
How much does card reissuance cost?
Reported per-card costs run from about $3 to $10, covering producing and mailing a new card, the issuer's administrative handling, and associated fraud monitoring. Multiply by the number of cards exposed and it becomes the dominant cost for any large card breach — 50,000 cards at $5 each is already $250,000.
Can these fines really last for months?
Yes. The monthly fine typically continues until the acquirer is satisfied you have returned to compliance — remediated the environment, passed re-validation, and demonstrated the gaps are closed. Tiered escalation is common: the monthly amount can rise the longer non-compliance persists. Because timing is uncertain, the months input here is a planning lever, not a fixed figure.
Is this an exact prediction?
No. The exact fines, card counts and per-card costs are set by your acquirer agreement and the specific facts of the incident, which vary widely and are confidential. This calculator is informational and is not legal or contractual advice; use it to size a planning range, and refer to your merchant services agreement and the card brands' operating rules for the figures that actually bind you.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.