Don’t risk the costs of noncompliance.

This is a long post, about an important topic: PCI Compliance. It also gets scary, fast, as we talk about what can happen to a business that is not compliant. The abbreviated version of this post is: we urge you to get and stay compliant! Dharma provides all the tools you need to stay compliant, including a partnership with Sysnet, a premier provider of PCI DSS support.

Data breaches are increasingly common, and businesses handling sensitive customer data, especially credit card information, are prime targets.

As a merchant, you’re probably at least vaguely aware of PCI – the Payment Card Industry Data Security Standard – a set of rules to be followed to safeguard payment card data. PCI DSS 4.0, released in 2022, brings significant updates to modern security threats.

The deadline to support full compliance was March 2025, meaning it’s important to understand what PCI DSS 4.0 means, why it matters, and how noncompliance can risk your business’s security and finances.

Merchants that fail to meet PCI DSS requirements and have a breach face fines ranging from $5,000 to $100,000 per month, depending on the just how bad the breach was, and how long you were non-compliant. These fines, along with the potential for legal issues, as well and brand and reputation damage, should make compliance a no-brainer.

Here are key questions and answers to help you understand PCI DSS 4.0 and its importance.

PCI DSS is a set of requirements all merchants must follow to protect cardholder data. Major credit card brands like Visa, MasterCard, and American Express enforce it

PCI DSS 4.0, released three years ago, includes updated security requirements to address evolving cyber threats. Its comprehensive framework makes sure that businesses have taken the steps needed to protect sensitive customer data.

Businesses that accept credit cards are always going to be targets for fraudsters, so merchants must implement the appropriate security measures. Your goal is to minimize the risk of data breaches in all forms: from cyber attacks, or the wrong person gaining access to your terminal, and everything in between. Failing to meet PCI DSS standards makes your businesses a prime target. Dharma, and our PCI partner Sysnet, are here to make sure you become and stay compliant.

Becoming PCI DSS 4.0 compliant is an ongoing process, not something you do once and declare “done!” There are 12 core requirements to securing payment card information. These include installing and maintaining network firewalls; encrypting cardholder data; implementing robust access controls around who can access data and where. And then you must regularly test your security systems.

One of the most important tools of PCI DSS 4.0 is the self-assessment, where you answer questions designed to help you identify issues with your compliance. The SAQs were revised for 4.0, requiring more detailed reporting on security protocols. At one time, going through an SAQs was just considered a best practice, but they became mandatory on March 31, 2025. Now businesses must review and update their SAQs annually to avoid noncompliance.

Stricter cardholder data policies are another key update in PCI DSS 4.0. Businesses must implement multi-factor authentication (MFA) for all users accessing payment card data, to ensure only authorized personnel can view or process sensitive customer information.

At its most drastic, failing to comply with PCI DSS 4.0 can expose your businesses to security risks, financial consequences, and reputational damage. While the card brands all expect you to stay compliant, there are no governmental ramifications to noncompliance. But noncompliance can lead to significant costs in data-breach liability, fines and penalties from the brands, and reputational damage. You may end up paying for the cost of reissuing cards that were stolen, covering fraudulent changes, and paying for third parties to investigate and determine the scope of the breach.

To give some perspective, the monthly fines for noncompliance range from a base of $20 to $5,000 or more, depending on the severity of the noncompliance or data breach. A breach after long-term noncompliance may cost you upwards of $100,000 a month until you are compliant. When you add fees, fines, legal exposure, you can imagine this gets pricey fast. And that is not counting what happens to your brand and customer allegiance when they find out you’re responsible for a breach by being noncompliant.

PCI DSS 4.0 ups the importance of regular monitoring, and testing of security systems. Failure to keep up with security updates risks noncompliance and cyberattacks. Cyberattacks have significantly increased, with estimates suggesting there are around 600 million cyberattacks per day globally. Additionally, nearly 54 people fall victim to a cyberattackevery second, highlighting the growing prevalence of these threats.

The average breach cost businesses just shy of $5MM in 2023, up 10% from 2022. However, the financial implications extend far beyond just the breach and customer notification. IBM published a report revealing that 70% of organizations that experienced a data breach reported significant operational disruptions, further amplifying the incident’s cost.

If you need more convincing to be compliant, consider that the card issuing banks may hold non-compliant businesses responsible for covering all breach costs, including fraudulent charges and issuing new credit cards. Many businesses also incur the cost of hiring forensic investigators to determine the breach’s extent.

One of the scariest parts of a breach is: you may not know about it for some time. IBM reports an average of 194 days to identify a breach and 64 days to contain it, leaving businesses exposed for over half a year while the breach escalates and more and more data is stolen from your organization.

Best practices around data handling, and staying compliant are critical, and can help deter or mitigate breaches. Compliance quickly identifies and responds to potential security threats.

It may seem like PCI 4.0 is all about danger and fines, but there is an upside as well. Being compliant can improved your business’s reputation, build customer trust, and reduces the risk of costly breaches. It also can help deter fraudsters in the first place: if you’re known to be compliant and diligent, they are likely to pick a more appealing target.

The best place to get started with PCI DSS 4.0 compliance is in reviewing the updated standards, updating your self-assessment questionnaires, and strengthening security measures like card encryption, firewalls, and multi-factor authentication. Next comes monitoring. As we said, this is an ongoing process. You need to be regularly testing your security systems for vulnerabilities. If you can find them first and close them, its one more way to point those fraudsters elsewhere.

The reality is cybercrime is becoming more and more prevalent, and the attackers are getting smarter every day. It’s imperative that every business take the time to protect itself and avoid becoming the next target. Adopting and embracing PCI DSS 4.0 is a major step in that direction. Every Dharma merchant has access to our PCI partner Sysnet. Sysnet’s team of PCI specialists work with Dharma’s Support team to make sure you maintain compliance.

Want to read more interesting stats about cybercrime? Take a look at this post from Varonis