PCI Council warns new EU regulation could see average fines of £13k per small business for cyber security breach


The PCI SSC (Payment Card Industry Security Standards Council) warns UK firms of 60-130 fold increase in fines under General Data Protection Regulation

Jeremy King, international director at the PCI Security Standards Council (PCI SSC)  said:

“The new EU legislation will be an absolute game-changer for both large organisations and SMEs.

“The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.”

The PCI Security Standards Council urged firms to introduce procedures against cyber security threats to avoid these significant regulatory fines.

The new legislation comes into effect in 2018 and means that the cost of a security breach could attract files of 4% of global turnover or €20m whichever is greater. The level of fines in 2015 for cyber security breaches was £1.4bn for UK firms, using this as a baseline the PCI SSC suggests that this could potentially increase 90 fold after the new legislation comes into force, resulting in fines of £122bn across UK firms. Similarly, fines for SMEs could see a 60-fold increase, rising to £52bn, averaging out at £13,000 per small business.

Are you ready for the General Data Protection Regulation

The Information Commissioner’s office (ICO) gives an overview of the General Data Protection Regulation (GDPR) which is due to come into force in 2018.  The ICO comments that, even with the recent Brexit decision:

“..once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example breach notification and data portability..”

One of the main changes in the GDPR is around breach notification:

“A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.”

…In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place.

Read from ICO: Overview of the General Data Protection Regulation (GDPR)

Next Steps

It is important that organisations start preparing for the new regulations, and understand the new requirements. The cost of a cyber security breach, once this comes into force, will have a significant impact on organisations. The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive standard for securing sensitive card holder data.


If you need any help or further advice from an independent qualified PCI QSA company please call us on 01392 247110 or send us an email.