An acquiring bank may be fined by the card brands anywhere from $5,000 to $100,000 per month for PCI compliance violations. These fines are passed downstream to the merchant.  In addition, your account is subject to many additional costs including lawsuits from cardholders and issuing banks, the reissuance of cards, brand damage and a required forensic investigation.  Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.  It is important to be familiar with your merchant account agreement, which should outline your exposure.