As noted, the PCI DSS common acknowledges that not all organizations have equal risk variables or equivalent capacity to roll out security infrastructure. The RSI security blog breaks down the steps in certain depth, but the process in essence goes similar to this: Typically the card makes good the payment https://livewebnews.info/nathan-labs-advisory-shaping-robust-cyber-security-policies-in-the-usa/