Jon Perry
More and more merchants are being charged unnecessary Payment Card Industry (PCI) Data Security Standard (DSS) fees. These fees range from $99 to $149 per year. What do these fees get you the merchant? Absolutely nothing!
One national processing company charged a business $99 per year, but said the merchant would receive up to $50,000 in insurance should there be a PCI breach on their system. Reading the fine print, it required the merchant to complete the Self Assessment Questionnaire (SAQ) and have a successful network scan completed on their system. A network scan tests your system end to end. Let me explain.
PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities. This includes your server on the internet, if applicable. Let’s say you have a business. That business could be brick and mortar, an internet server where you sell products and services, or a combination of both. From your home, you access the database where your payment processing is made. You want to find out how much money you made today. Since you would be accessing the database from your home and signing in with your credentials, not only does the business or internet server need to be scanned, so does your home IP address.
Many people think their internet address is 192.168.xxx.xxx. It is not. That is a subnet for your private network for the router you purchased. For any of us to access the internet, we must have a unique IP address. Don’t know your internet IP address? This site and many others will give you your IP address, along with the information you are releasing to the world about yourself.
Another myth many people believe is when they log into a website that it is secure because the password is masked with asterisks. Not true. Your password is passed without encryption, in the clear. Unless there is a secure hypertext transfer protocol (https:) AND the secure socket layer is provided by a reputable company, then your user name and password could be compromised. When you go to your bank’s website or a well know reputable provider like Amazon, you will notice a lock on your browser. Double click the lock and click View Certificate. In Amazon’s case, it uses Verisign. Verisign, Comodo and many others have strong reputations in securing websites.
As you can see, logging in from your home to another location requires security. At your business, your credit card processing software or equipment must be segregated from the rest of your network. If you don’t, you stand to have your data compromised. What’s the cost of a compromise? You could receive fines of $25,000 per occurance. You also can be charged the fees of the banks who issued the compromised consumer debit/credit cards a reissuing fee. Your company’s reputation would be severely damaged.
So, what can you do? PCI Compliance fees are on top of what you would pay for network scans, audits and assessments. They are fees that provide the processor additional revenue, but provide nothing of value in return. Look for a reputable merchant services company that doesn’t charge a fee. Let them understand your business. They will help you determine the resources you need to protect yourself, your business and your company’s reputation. But don’t pay credit card PCI Compliance fees!
We’ve seen in the past year where large merchants and even merchant processing companies have been hacked. It has been costly to them in monetary losses, reputation and potentially impending Congressional oversight.
If you use a dial up terminal you should in good shape. You still need to complete SAQ B. More information is on our PCI compliance page. But dial up terminals, if they themselves are compliant, should only require the SAQ B.
In conclusion, ALL merchants must be PCI compliant. Merchant incur the fees to become compliant with expenses such as network scans and assessments or audits. Paying your merchant services provider money, unless they are adding value in your compliance, is just throwing your money away.
For more information about PCI Compliance or merchant services, call us today at 817.857.3557 or toll free 877.577.3779.
Follow me on Twitter
Join me on LinkedIn
If you enjoyed this article, please consider sharing it!
I think you’re mistaken on the Dial-up terminals-they are SAQ B “Standalone Dial terminal or Imprint Machines” (basically any dial terminal or knucklebuster). If the merchant uses touchtone capture, for example, they will only need to do SAQ A.