PCI compliance fees. More and more merchants are being charged unnecessary Payment Card Industry (PCI) Data Security Standard (DSS) fees. These fees range from $99 to $149 per year. What do these fees get you the merchant? Absolutely nothing!
One national processing company charges businesses $99 per year for PCI compliance fees, but said the merchant would receive up to $50,000 in insurance should there be a PCI breach on their system. Reading the fine print, it required the merchant to complete the Self Assessment Questionnaire (SAQ) and have a successful network scan completed on their system. A network scan tests your system end to end. Let me explain.
PCI Compliance Fees
PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities. This includes your server on the internet, if applicable. Let’s say you have a business. That business could be brick and mortar, an internet server where you sell products and services, or a combination of both. From your home, you access the database where your payment processing is made. You want to find out how much money you made today. Since you would be accessing the database from your home and signing in with your credentials, not only does the business or Internet server need to be scanned, so does your home IP address.
Many people think their internet address is 192.168.xxx.xxx. It is not. That is a subnet for your private network for the router you purchased. For any of us to access the internet, we must have a unique IP address. Don’t know your internet IP address? This site and many others will give you your IP address, along with the information you are releasing to the world about yourself.
Another myth many people believe is when they log into a website that it is secure because the password is masked with asterisks. Not true. Your password is passed without encryption, in the clear. Unless there is a secure hypertext transfer protocol (https:) AND the secure socket layer is provided by a reputable company, then your user name and password could be compromised. When you go to your bank’s website or a well know reputable provider like Amazon, you will notice a lock on your browser. Double click the lock and click View Certificate. In Amazon’s case, it uses Verisign. Verisign, Comodo and many others have strong reputations in securing websites.
As you can see, logging in from your home to another location requires security. At your business, your credit card processing software or equipment must be segregated from the rest of your network. If you don’t, you stand to have your data compromised. What’s the cost of a compromise? You could receive fines of $25,000 per occurance. You also can be charged the fees of the banks who issued the compromised consumer debit/credit cards a reissuing fee. Your company’s reputation would be severely damaged.
So, what can you do about PCI Compliance Fees?
PCI Compliance fees are on top of what you would pay for network scans, audits and assessments. PCI Compliance fees provide the processor additional revenue, but provide nothing of value in return. Look for a reputable merchant services company that doesn’t charge a PCI Compliance fee. Help them understand your business. In turn, they should help you determine the resources you need to protect yourself, your business and your company’s reputation. But don’t pay credit card PCI Compliance fees!
We’ve seen in the past year where large merchants and even merchant processing companies have been hacked. It has been costly to them in monetary losses, reputation and potentially impending Congressional oversight.
If you use a dial up terminal you should in good shape. You still need to complete SAQ B. More information is on our PCI compliance page. But dial up terminals, if they themselves are compliant, should only require the SAQ B.
In conclusion, ALL merchants must be PCI compliant. Merchant incur the fees to become PCI compliant with expenses such as network scans and assessments or audits if they are necessary. Paying your merchant services provider a PCI compliance fee, unless they are adding value in your PCI compliance, is just throwing your money away.
Follow me on Twitter
Join me on LinkedIn