Are there penalties for businesses who don’t comply?
The cost of not complying with the PCI DSS will be loss of business. Card issuers will not continue to allow merchants to process payments with their brands and so customers will lose the option of paying electronically. But on top of this, card issuers will be able to seek punitive damages or fines from merchants where non-compliance has contributed to fraud or loss. This could potentially run into hundreds of thousands of dollars plus reimbursement for the money lost in the first place.