Form: Cost-of-Breach DisclosureSource: IBM 2025Filed: 28 Apr 2026
DataBreachCost.comOpen calc
Reg File 09.PCI / Payment Card Industry Data Security StandardPCI SSC / Visa / Mastercard

Regulator profile

PCI DSS breach cost: $5K-$100K monthly fines + $5-$15 per card reissuance.

PCI DSS is a contractual rather than statutory regime, enforced through acquiring-bank merchant agreements that flow down requirements from Visa, Mastercard, American Express, Discover, and JCB. Breach cost flows through three distinct lines: card-brand monthly fines ($5,000 to $100,000 per merchant ID), card reissuance reimbursement ($5-$15 per card), and mandatory PCI Forensic Investigator engagement ($200K-$2M). Target's Visa settlement of $67M is the largest single-card-brand component on record.

Monthly fine

$5K-$100K

Per merchant ID, per month

Card reissuance

$5-$15

Per card, issuer side

PFI investigation

$200K-$2M

Mandatory for L1/L2 breaches

Largest card-brand settlement

$67M

Target Visa 2015

Section PCI.1

The contractual enforcement architecture

PCI DSS is not a law. It is a contractual standard owned by the PCI Security Standards Council, which is jointly funded by Visa, Mastercard, American Express, Discover, and JCB. Enforcement flows through the standard contractual structure: a merchant signs an acquiring agreement with a bank or payment processor; the acquiring agreement requires PCI DSS compliance; the acquirer's relationship with each card brand requires the acquirer to enforce PCI DSS on its merchants; the card brands monitor compliance through periodic audits and enforce non-compliance through the acquiring relationship.

The contractual structure has two material consequences for breach cost. First, the PCI SSC does not directly fine merchants. The card brands impose penalties on the acquirer, and the acquirer typically passes those penalties through to the merchant under the acquiring agreement. The pass-through is not automatic and frequently produces dispute resolution between the merchant and the acquirer. Second, the contractual nature limits judicial review of penalties: a merchant disputing a penalty assessment is in a contractual dispute with the acquirer, not an administrative-law dispute with the regulator. The remedies available are correspondingly different.

For breach response, the architecture means that breach cost flows through the acquiring relationship for everything except the public-statute components (state breach notification, FTC Section 5 actions, state AG enforcement). The breach playbook for a card-data-only breach is heavily focused on the acquiring-bank relationship management, including prompt engagement of an acquiring-bank-approved PCI Forensic Investigator once a forensic investigation is required.

Section PCI.2

Card-brand monthly fines: the schedules

The card-brand penalty schedules are confidential and are not published by the PCI SSC. Public-record breach settlements indicate the following typical structure for an Account Data Compromise Event under the Visa programme: an initial fine of $5,000 per month per merchant ID during the investigation period, escalating to $25,000 to $100,000 per month if PCI DSS non-compliance is confirmed and not remediated, plus a per-card forensic-investigation reimbursement clause of $5 to $25 per exposed account, plus a per-card reissuance reimbursement clause of $1 to $5 per card (materially below the issuer's actual $5-$15 reissuance cost, as detailed in Section PCI.4).

Mastercard's Alternative Recovery Offers programme provides a comparable structure with similar magnitudes. American Express and Discover have parallel structures with somewhat different administrative mechanics. For a merchant with substantial multi-brand transaction volume, the four (or five) card-brand penalty streams stack, producing total monthly penalty exposure that can reach mid-six-figures for a Tier 1 retailer with multi-month exposure.

For the breach-cost evidence base, the most useful public document is the Target SEC 10-K disclosure of the $67M Visa Account Data Compromise settlement, which provides line-item visibility into the monthly fine accumulation across 2014-2015 plus the per-card reissuance reimbursement. The Target case has been studied extensively as the worked example of a fully-loaded card-brand breach cost calculation.

Section PCI.3

The PCI Forensic Investigator (PFI) mandate

For any suspected Account Data Compromise Event involving 1,000 or more accounts at a Level 1 or Level 2 merchant, the card brands require engagement of a PCI Forensic Investigator. The PFI must be selected from the PCI SSC-approved list. Under Visa's published "What To Do If Compromised" requirements, the compromised entity must engage a PFI within five business days of Visa's notification that a forensic investigation is required; the PFI must then deliver a Preliminary Incident Response Report within five business days of engagement and a Final PFI Report within ten business days of completing the investigation.

PFI investigation cost runs $200K to $2M depending on scope. For a small breach at a single point-of-sale terminal, costs run at the low end. For a multi-store, multi-month POS breach (Target, Home Depot scale), costs run at the high end. The PFI report is submitted to the card brands and to the acquiring bank, with extensive detail on the attack vector, the data accessed, the scope of compromise, the controls that failed, and the remediation steps taken. The report becomes the primary evidence base for the card-brand penalty calculation and for any subsequent litigation.

Beyond the direct PFI cost, the merchant typically engages parallel non-PFI forensic counsel for litigation-privileged investigation. The dual-investigation structure is standard for any large card-data breach because the PFI report is not privileged and may be discoverable in subsequent class-action litigation. Total forensic spend in a major card-data breach therefore commonly runs $500K-$5M across the two parallel investigations.

Section PCI.4

Card reissuance: the line that catches everyone

Card reissuance is the largest single cost line in a typical card-data breach. The economics are straightforward: when a breach exposes card numbers, the affected issuers cancel and reissue the cards to prevent fraud. The per-card reissuance cost runs $5 to $15 depending on card type (basic vs premium with metal construction), embossing complexity, mailing class, and contact-center support for activation. For a card-issuer reissuing 10 million cards, baseline reissuance cost is $50M to $150M.

The PCI DSS framework provides for reimbursement from the breached merchant to the issuer through the Account Data Compromise Event programme. The reimbursement is typically $1 to $5 per card, materially below the issuer's actual reissuance cost. The difference is absorbed by the issuer as fraud-prevention expense. The merchant's exposure to direct issuer claims (outside the card-brand programme) was historically limited but has expanded since the 2015 amendments to the Visa and Mastercard rules that allow more direct issuer recovery of reissuance cost.

For card-issuing banks, the reissuance cost is one of the most painful breach-cost lines because it is incurred for a third-party breach. The bank had nothing to do with the breach but bears the operational cost of the response. Several major card issuers maintain dedicated breach-response teams whose entire workload is processing reissuance events triggered by merchant breaches. The structural unfairness of the cost allocation has been a persistent source of friction between issuers and merchants in the PCI DSS ecosystem.

Section PCI.5

PCI DSS 4.0 and the move toward continuous compliance

PCI DSS 4.0, fully effective 31 March 2025, introduces material structural changes that affect breach cost calculations. The most consequential changes are the move toward continuous compliance (rather than point-in-time annual assessment), expanded requirements for multi-factor authentication, new requirements for phishing-resistant authentication on administrative access to cardholder data environments, and explicit requirements for application-layer security testing.

The breach-cost implication of continuous compliance is that a breach occurring in a previously-compliant environment now requires demonstration that compliance was maintained through the moment of breach, not just at the most recent annual assessment. This raises the evidentiary bar for merchants seeking to avoid penalty escalation. The PFI report under PCI DSS 4.0 must specifically address the continuous-compliance question, which has expanded the typical PFI investigation scope by approximately 20-30% with corresponding cost increase.

For merchants planning around PCI DSS 4.0 compliance, the annual ongoing cost has risen approximately 15-30% from the 3.x baseline depending on the maturity of the existing compliance programme. The investment is being absorbed across the merchant base with relatively limited pushback, partly because the alternative (non-compliance and elevated breach risk) is materially more expensive.

Section PCI.6

PCI DSS breach notification requirements

There is no single statutory "PCI breach notification" deadline. A card-data breach triggers two parallel notification tracks: the contractual card-brand reporting obligations that flow through the acquiring relationship, and the separate statutory US state breach-notification laws that govern notifying affected cardholders and state attorneys general when personal information is exposed. The card-brand track is the one most merchants overlook, and it runs on a much tighter clock than most state laws.

The clearest public statement of the card-brand track is Visa's What To Do If Compromised (WTDIC) supplemental requirements. A compromised entity must report the event to Visa's Global Risk Investigations group within three calendar days of discovering or suspecting a compromise, and must immediately notify its issuing or acquiring bank. Mastercard, American Express, and Discover maintain parallel reporting requirements with comparable timelines. These obligations sit on top of, not instead of, the statutory notification duties owed to cardholders under state law.

Obligation (Visa WTDIC)DeadlineNotify
Report the compromise event3 calendar days of discovery/suspicionVisa Global Risk Investigations + acquiring bank (immediately)
Submit the Incident Report3 calendar days of notifying VisaVisa + acquiring bank
Provide list of at-risk accounts (CAMS)3 calendar days of the triggering scenarioVisa
Retain a PCI Forensic Investigator (if required)5 business daysInform Visa of PFI firm + lead investigator
Preliminary (initial) forensic report5 business days of retaining the PFIVisa
Final forensic report10 business days of completing the investigationVisa + affected acquirers

Deadlines quoted from Visa's What To Do If Compromised, Version 9.0. State breach-notification laws (for example California, 30 days under SB 446 effective January 2026; Florida, 30 days) run on separate, generally longer clocks and apply only where the exposed data meets each state's definition of personal information.

Cross-references

Schedule F / Reference Q&A

Frequently Asked Questions

Primary source:PCI DSS breach cost data from PCI Security Standards Council published standards, public-record breach settlements (Target, Home Depot, TJX SEC 10-K filings), and PFI service-provider public statements on engagement scope and pricing.