If you are a merchant who accepts credit card payments for goods or services, you may have noticed a PCI compliance fee on your merchant account statement recently.
When you first noticed this additional charge, you probably asked yourself, “What is this fee and what service does it cover?” If you are a merchant who has taken the necessary steps to ensure your business is PCI-DSS (Payment Card Industry Data Security Standard) compliant, this charge may appear to be a misnomer. Should it, or more appropriately does it, still apply to you?
Before looking at this issue further, it is important to first address what PCI compliance is and what affect it has on you, the business owner.
PCI Compliance and what it Means for Your Business
You may or may not be aware of the fact that since June of 2008 it has been required that all merchants who accept credit card payments for purchases must be PCI-DSS compliant. In a nutshell, this is a security measure developed by the PCI Security Standards Council to curtail the loss of cardholder data.
At the most elemental level, it is now mandatory that you fill out a questionnaire and have your networks scanned quarterly for vulnerabilities. However, this is just the tip of the iceberg.
According to the PCI Security Standards Council website, PCI DSS is “a set of comprehensive requirements for enhancing payment account data security…developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.”
To ensure this “broad adoption of consistent data security on a global basis” the PCI Security Standards Council has set in motion a 12-step program if you will that must be followed by all who except plastic for goods or services. For you, the business owner, this would entail:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing your networks
- Maintaining an information security policy
For a complete breakdown of the requirements necessary to ensure your business is PCI-DSS compliant, visit https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
To Be or Not to Be PCI Compliant, That is the Question
The real question is, “Can you afford not to be?” Although ensuring PCI compliance requires due diligence on your end as well as additional resources in time and money, the alternative could be catastrophic.
Bottom line, if it were discovered that your company was leaking credit card information from your processing network you would be faced with crippling, possibly business busting fines.
Currently, it is left up to the discretion of each credit card company as to what fines will be incurred when data is breached. Although MasterCard and American Express remain “hush-hush” about their fines, Visa has made theirs well known.
Presently, they charge $50,000 if a business exposes one credit card number due to unsecured networks. However, this is only the starting point. Fines could escalate to the half million-dollar mark if Visa deems it appropriate. They would also charge an additional $100,000 fine if you did not notify their fraud department about the leak.
It is safe to say that most businesses – especially in today’s economy – would crumble if faced with a financial hit of this magnitude. Therefore, becoming PCI compliant is essential to your business’ survival.
Anyway, would you really want to take that chance?
PCI Compliance Fees
It is not only mandatory that all merchants comply with the regulations set forth by the PCI Standards Security Council to provide safe storage, processing and transmission of cardholder data, but merchant account providers (MAPs) as well. To offset expenses incurred to ensure compliance, various MAPs are currently charging PCI-DSS compliance fees.
Although it may be considered a “pass through” fee, it can also be viewed as a necessary expense that allows MAPs to stay in business and provide a needed service. If security were breached due to non-compliance, they too would face stiff fines that could potentially put them out of business.
However, if you have taken all steps to ensure PCI compliance and you are charged a compliance fee, you may want to ask your MAP if this charge could be waived. After all, your business should not be considered a potential liability.
Also, as with any fee charged by a MAP, it should be “fair and reasonable”. Make a point to call various MAPs and ask about their PCI compliance fees. Is yours comparable to what others are charging? Are other MAPs waiving this fee?
In today’s uncertain economy, everyone is pinching their pennies and taking a hard look at their bottom line. Therefore, it is paramount to take the time to understand all fees on your merchant account statement and shop around to make sure you are getting the best deal possible – including the fee assessed for PCI compliance.