CHAPTER 4: CONSEQUENCES OF A BREACH

The consequences of a data security breach are likely to be proportionate to the seriousness of the breach and the extent to which the merchant or service provider is able to demonstrate prior compliance with the PCI DSS. For level one merchants, the combination of fines, litigation and brand damage is significant; for non-level one merchants, the consequences of a breach are potentially as serious, and include:

• A significant cost for a forensic investigation.
• The merchant automatically becoming a level one merchant (i.e. yearly on-site audits).
• A possible charge by issuer(s) to acquirer(s) for card reissue, which may be passed on to the merchant.
• The merchant may lose its ability to accept payment cards.
• Transaction costs may be increased.
• Service providers may be removed from listings by the payment brands.
• Merchants or service providers may become designated entities and subject to additional validation requirements.