Wednesday, March 11. 2009
If you are a merchant who accepts credit card payments for goods or services, you may have noticed a PCI compliance fee on your merchant account statement recently.
When you first noticed this additional charge, you probably asked yourself, “What is this fee and what service does it cover?” If you are a merchant who has taken the necessary steps to ensure your business is PCI-DSS (Payment Card Industry Data Security Standard) compliant, this charge may appear to be a misnomer. Should it, or more appropriately does it, still apply to you?
Before looking at this issue further, it is important to first address what PCI compliance is and what affect it has on you, the business owner.
PCI Compliance and what it Means for Your Business
You may or may not be aware of the fact that since June of 2008 it has been required that all merchants who accept credit card payments for purchases must be PCI-DSS compliant. In a nutshell, this is a security measure developed by the PCI Security Standards Council to curtail the loss of cardholder data.
At the most elemental level, it is now mandatory that you fill out a questionnaire and have your networks scanned quarterly for vulnerabilities. However, this is just the tip of the iceberg.
According to the PCI Security Standards Council website, PCI DSS is “a set of comprehensive requirements for enhancing payment account data security…developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.”
To ensure this “broad adoption of consistent data security on a global basis” the PCI Security Standards Council has set in motion a 12-step program if you will that must be followed by all who except plastic for goods or services. For you, the business owner, this would entail:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing your networks
- Maintaining an information security policy
For a complete breakdown of the requirements necessary to ensure your business is PCI-DSS compliant, visit https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
To Be or Not to Be PCI Compliant, That is the Question
The real question is, “Can you afford not to be?” Although ensuring PCI compliance requires due diligence on your end as well as additional resources in time and money, the alternative could be catastrophic.
Bottom line, if it were discovered that your company was leaking credit card information from your processing network you would be faced with crippling, possibly business busting fines.
Currently, it is left up to the discretion of each credit card company as to what fines will be incurred when data is breached. Although MasterCard and American Express remain “hush-hush” about their fines, Visa has made theirs well known.
Presently, they charge $50,000 if a business exposes one credit card number due to unsecured networks. However, this is only the starting point. Fines could escalate to the half million-dollar mark if Visa deems it appropriate. They would also charge an additional $100,000 fine if you did not notify their fraud department about the leak.
It is safe to say that most businesses – especially in today’s economy – would crumble if faced with a financial hit of this magnitude. Therefore, becoming PCI compliant is essential to your business’ survival.
Anyway, would you really want to take that chance?
PCI Compliance Fees
It is not only mandatory that all merchants comply with the regulations set forth by the PCI Standards Security Council to provide safe storage, processing and transmission of cardholder data, but merchant account providers (MAPs) as well. To offset expenses incurred to ensure compliance, various MAPs are currently charging PCI-DSS compliance fees.
Although it may be considered a “pass through” fee, it can also be viewed as a necessary expense that allows MAPs to stay in business and provide a needed service. If security were breached due to non-compliance, they too would face stiff fines that could potentially put them out of business.
However, if you have taken all steps to ensure PCI compliance and you are charged a compliance fee, you may want to ask your MAP if this charge could be waived. After all, your business should not be considered a potential liability.
Also, as with any fee charged by a MAP, it should be “fair and reasonable”. Make a point to call various MAPs and ask about their PCI compliance fees. Is yours comparable to what others are charging? Are other MAPs waiving this fee?
In today’s uncertain economy, everyone is pinching their pennies and taking a hard look at their bottom line. Therefore, it is paramount to take the time to understand all fees on your merchant account statement and shop around to make sure you are getting the best deal possible – including the fee assessed for PCI compliance.
To learn more about our merchant services, please visit:
Please don't give any such ideas to the powers that be.
I know that PCI has presented problems to merchant account providers and merchants throughout the field. This is not being charged industry wide without cause. The associations are mandating policies and procedures which represent tremendous expense to
However, merchant account companies should not take advantage of business owners and use this as an excuse to charge "unreasonable fees."
Thanks for your input!
seo sulumits retsambew
PCI compliance is primarily meant to protect credit card-holding customers, not necessarily merchants.
Thanks for your post! This is one way to avoid a PCI Compliance fee -- simply not relying on credit card processing.
I think it's very astute of you to take account of the nature of your business and the ATM machines in the vicinity, and then provide an incentive for customers to use cash.
Even if you cannot totally eliminate credit card acceptance, you are dramatically reducing your credit card processing fees.
Consequently, it is now more important than ever to factor the PCI compliance fee into the TOTAL monthly cost. Look for processors who are offering the lowest processing rates as well as the lowest fixed TOTAL monthly cost. (Of course, you need to consider other criteria, such as startup fees, monthly minimums, termination fees, level of customer support, etc.)
Also, please note that some merchant account comapanies are waiving the PCI compliance fee depending on the type of account a merchant opens. For example, one of our parent companies waives the PCI fee for dial pay merchants and those who swipe cards employing a terminal that uses plain old telephone service, connected to a landline.
While I understand your frustration with rising (and unanticipated) costs, please do NOT surcharge your clients for using their credit cards. It's against Visa and MasterCard regulations. Obviously, you can build the processing costs into your fee but you cannot itemize cc use on an invoice.
Thanks again for your contribution to my blog!
Thanks for taking the time to read my blog entry and respond. I can understand your sentiment although credit card processors and banks would argue that merchants are their direct customers, and as such, should be billed accordingly.
Among the services provided include underwriting, the actual transfer of the merchant's funds to his/her bank account, provide customer support and technical troubleshooting, offer monthly statements, handle disputes, etc.
There are a variety of other costs incurred -- including those involving PCI compliance -- which are more readily passed on to merchants.
In turn, as you mention, merchants can build credit card processing fees into their total price, and yes, even offer cash discount incentives.
Finally, merchants can exercise some control over credit card processing pricing in the sense that they can do their homework and go with companies that waive many standard fees and quote extremely competitive rates.
Please keep reading my blog, Todd!