TABLE OF CONTENTS
If you’re new to running a business, you may not have heard of a PCI non-compliance fee before. In truth, there are a lot of rules and regulations to deal with when operating a business, many of which may be subject to various compliance fees.
With credit and debit cards accounting for about 51 percent of payments, your business can capture a huge market by accepting this payment method.[1] Federal Reserve Bank of San Franciso. 2019 Findings from the Diary of Consumer Payment Choice. Accessed May 11, 2022. But accepting credit card payments opens your business up to a whole new set of possible issues when it comes to handling your customers’ sensitive credit card information. In fact, the ability to accept credit cards from your customers and PCI non-compliance fees go hand in hand. The rules around accepting forms of payment like credit cards get stricter every year, and rightly so. It’s imperative to protect consumer data when handling such sensitive information. That’s where PCI compliance comes into play. Below we explain exactly what PCI compliance is, as well as how to remain compliant with PCI standards in order to avoid paying a PCI non-compliance fee.
What is PCI?
To set a standard for protecting consumers and merchants, the Payment Card Industry (PCI) set up Data Security Standards (DSS). These standards are for merchants using payment processors to accept payment methods like credit and debit cards. PCI compliance has measures for handling and preserving data with which both these parties must comply. The PCI Security Standards Council is a resource for the adoption of PCI-DSS.
These rules are regulated at the state level, so there might be some variations depending on the state in which you do business. Additionally, some merchant account providers set their own standards for security in addition to the councils. When choosing a merchant services provider, it’s important to confirm their compliance with PCI standards to ensure they meet expectations and confirm you won’t have to pay non-compliance fees.
What is a PCI Fee?
A processor may pass on its PCI compliance fee to its merchant. When shopping for a payment processor, review each processor’s list of fees. If you find that the processor charges a compliance fee, find out if they offer recommendations about how to become and stay PCI compliant.
There are two types of compliance fees that could be passed down to you: PCI non-compliance fee and PCI compliance fee.
PCI non-compliance fee
When a business fails to provide proof that it meets PCI-DSS requirements, its processor may charge them a PCI non-compliance fee. These compliance fees are a penalty for not meeting the regulations agreed upon in the contract. Your merchant service provider should offer guidance on how to become compliant. Some providers may not notify you before charging you a non-compliance fee, so be sure to review your merchant statement each month.
You may receive some consulting when you are charged a PCI non-compliance fee. Even if you paid the non-compliance fee and took the provided guidance, it doesn’t mean your business is now completely compliant with PCI regulations. Ensuring you follow safe practices when it comes to customer information is the ticket to staying compliant.
PCI compliance fee
Another PCI-related fee charged by some payment processors is a compliance fee. As you may have guessed, a PCI compliance fee is added for services that help your business achieve PCI compliance. These services vary, but some of the most common include:
- Ongoing customer support: This typically includes tech support to handle any questions or problems that may occur, as well as consultation for handling changes to PCI compliance.
- Data security scans: As part of PCI compliance, a merchant must run at least one security scan every quarter. An Approved Scanning Vendor (ASV) must handle these security scans. The PCI compliance fee that some payment processors charge may include this scan as part of the service.
- Cyber liability insurance: This covers associated costs and damages that occur in the event of a data breach.
How Much Does PCI Compliance Cost?
PCI compliance fees are not standardized across the industry. So, you’ll see there’s some variation in this fee from one company to another. While shopping around, you’ll find that many companies lump their PCI compliance charges into one annual fee of about $120 per year. However, a major downfall of an annual PCI compliance fee is that this is not eligible for a prorated refund upon account cancellation. Due to complaints, many companies have transitioned to charging a monthly fee. Monthly PCI compliance fees are typically around $9.99 per month.
On the other hand, PCI non-compliance fees are only charged in the event of non-compliance, meaning you can avoid this cost altogether simply by complying with PCI standards. If you’re found to be non-compliant, most providers will charge you a monthly fee of about $30 until you’ve corrected your compliance issues. It’s important to note that, in addition to fees, your processor may terminate your account if you fail to meet PCI standards within a reasonable timeframe. Typically, processors assess PCI compliance three months after your account is approved, giving you a buffer to become compliant and avoid the fee.
How Processors set PCI Compliance Fees
Payment processors are responsible for setting, charging, and collecting their PCI fees. While the cost varies by the processor, all processors set their compliance fee in a similar way:
- The processor decides its fee structure, determining whether or not PCI compliance services will be included in its fee structure or charged separately.
- If the processor chooses not to include it, a separate rate for PCI compliance services is determined. This determination is based on the company’s target profit margin and the cost of the included services.
How Compliance Fees are Calculated
PCI compliance fees are assessed in one of the four following ways:
- No fee, no services: With this option, PCI compliance is left up to you. You’re not charged a PCI compliance fee, but you do not receive any services that help you maintain compliance.
- Additional fee, additional services: You pay a PCI compliance fee and, in return, you receive services that help your business remain compliant.
- No fee, additional services: There’s no separate PCI compliance fee and you receive at least some services to help maintain your compliance. It’s worth noting, however, that processors offering services sans an additional fee have likely baked the cost of said services into their overall fee structure.
- Additional fee, no services: In this case, you’re charged a PCI compliance fee, yet receive no services in exchange. Avoid payment processors engaging in this practice.
The PCI compliance fee will be charged based on how the processor handles its billing. Typically, you can expect to be charged this fee monthly or annually. To review how your processor is charging you, simply look at the credit card processing fees on your monthly statement.
How to Analyze your Level of Compliance
To avoid unnecessary PCI non-compliance fees, it’s important to ensure that your business complies with all applicable PCI standards. To analyze your compliance, begin by determining your merchant level. Your merchant level is based on the number of transactions your business processes during a certain period of time. It’s also worth noting that your business’s merchant level may vary between credit card networks, as Visa and Mastercard base this assessment on different criteria.
After finding out your merchant level, you can then identify the PCI standards that apply to your business. Generally, PCI standards require the following of businesses:
- Maintaining a secure network
- Protecting cardholder data
- Implementing access control measures
- Monitoring and testing networks regularly
- Establishing vulnerability management
- Keeping your information security policy up-to-date
To help you figure out if your business is PCI compliant, you can use this self-assessment of your business’s credit card data security from the PCI Security Standards Council.
How to Avoid PCI Non-Compliance Fees
As a business owner, it’s in your best interest to avoid unnecessary expenses. This includes a PCI non-compliance fee. Putting the fee aside, the potential security breaches posed by non-compliance represent a risk to your business, customers, and reputation. The above self-assessment questionnaire is a great way to find out where your business needs improvement. Additionally, the PCI Security Standards Council provides these concrete tips for becoming compliant and maintaining compliance:
- Only use approved credit card readers and validated payment software
- Check that your network and devices are firewall-protected
- Ensure your password-protected wireless router uses encryption
- In addition to setting strong passwords, change any and all default passwords on your software and hardware
- Do not store sensitive cardholder data on computers or paper records
- Examine your PIN entry devices for rogue software and/or “skimming” devices
- Train your staff to follow best practices for protecting cardholder data
- Finally, follow the PCI Data Security Standards
Your payment processor should also be PCI compliant. Before partnering with a processor, verify their credentials. Working with the right processor will help you to avoid paying an unnecessary fee or, worse, falling victim to a security breach.
Work with a PCI-compliant merchant services provider
When you work with a PCI-compliant merchant services provider, you can effortlessly establish and maintain PCI compliance throughout the lifetime of your business. As an industry leader with extensive experience servicing every business model across all industries, we only connect clients to PCI-compliant hardware and software. Additionally, we can tailor your payment gateway to achieve compliance and best fit the needs of your particular business operations. By partnering with us, you can sleep soundly knowing your business complies with all necessary PCI standards.
PCI Non-Compliance Fee: Closing Thoughts
PCI non-compliance fees are an unnecessary expense that all businesses should avoid. However, the real risk of failing to comply with PCI standards is that it leaves your business’s and customers’ sensitive data vulnerable to malicious actors. By partnering with the right merchant service provider, you can accept payments with the assurance that every product and service you use is PCI compliant. And with the stakes as high as they are, why roll the dice?