Recently we’ve heard from more and more merchants that their processor has billed them some kind of PCI compliance fee. Compliance with the Payment Card Industry Data Security Standards (PCI DSS) is very important to protect your business, but merchants should question the need to pay a monthly fee or annual fee on their merchant account statement. Find out exactly what services you are being provided for this fee and make sure you were properly notified under the terms of your agreement that such a fee would be charged.
Spend a few minutes on the Internet searching blogs and forums and you will find merchant complaints. A common merchant post goes like this “Did anyone get a letter from your credit card processor about an annual fee to validate the security of their CC transactions. They are going to charge me $145.00 annually to make sure no one steals info from my machine. If I don't comply, they will charge me $27.00 a month.”
The fees being charged for so called PCI Compliance are not uniform. Some merchant account providers don’t charge anything. Others charge monthly, some annually and some both. According to the Visa web site on compliance validation, merchants fall into categories based on their size with Level 4 merchants being the smallest. Level 4 merchants processing less than 20,000 e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually have the following validation requirements:
The majority of the merchants being charged compliance fees on their merchant account are small Level 4 merchants. If you are processing using a credit card terminal, your provider must provide you with a secure, compliant payment application for the terminal before they can board your account, provide service and charge processing fees. If you are using a payment gateway or POS register system, you should verify with your POS reseller that you are using the latest version of their software that has been certified as PCI compliant. For most businesses using a POS register system integrated with payment processing capabilities, a service contract is in place for support. Make certain that you have a comfort level with your POS service contract to keep your system up to date, encrypting data, with a firewall and other appropriate measures in accordance with PCI standards.
While some merchants may incur fees for validation, these are normally paid to third parties such as to an Approved Scan Vendor. However if you are not passing, transmitting, storing or receiving full cardholder data on your PC then a quarterly scan is unnecessary and not applicable.
PCI insurance is another reason some merchant account providers use for charging PCI fees. Before you opt-in to pay for such an insurance policy, you should make sure you understand the coverage and exemptions as well as assess the likelihood of your systems being hacked. For example, if you are a small merchant processing a few transactions a week using Touch Tone Capture service to authorize and settle transactions over the telephone or using a credit card terminal (which does not store mag-stripe data electronically), then paying for PCI insurance is not a good value. Also, you should check your existing business insurance policies to see if you have coverage for data compromises before you pay additional premiums.
Bottom line, if you are charged a PCI compliance fee, our advice:
- Immediately inquire as to the specific reason with your merchant account provider. Ask for a refund.
-
Start shopping for a new service provider who does not charge a PCI compliance fee. (Of course, if you are in a long-term contract with early termination fee, you may be stuck. So when you shop, read the fine print this time and insist on a month-to-month agreement.)
For additional PCI DSS info visit: http://www.vantagecard.com/resources/PCI_Data_Security.html