TABLE OF CONTENTS
If you’re new to running a business you may have heard of a PCI noncompliance fee before. In truth, there are a lot of rules and regulations to deal with when operating a business, including various compliance fees. Accepting credit card payments opens your business up to a whole new set of possible issues when it comes to handling customers’ sensitive information. With credit and debit cards accounting for about 51 percent of payments, your business can capture a huge market by accepting this payment method. The ability to accept credit cards from your customers and this PCI fee go hand in hand.
The rules around accepting forms of payment like credit cards get stricter every year and rightly so. Payment fraud losses in 2018 were up to $27.8 billion worldwide. It’s imperative to protect consumer data when handling such sensitive information. That’s where PCI compliance comes into play.
What is PCI?
To set a standard that protects consumers and merchants, the Payment Card Industry (PCI) has set up Data Security Standards (DSS). These standards are for payment processors and merchants who accept payment methods like credit cards. PCI compliance has different measures for handling and preserving data that both of these parties must abide by. The PCI Security Standards Council is a resource for global adoption of developed PCI-DSS.
These rules are regulated at the state level, so there might be some variations depending on the state your business is in. Some merchant account providers set their own standards for security in addition to the councils. When choosing a processor it’s important to review their PCI compliance standards to ensure they meet expectations to avoid a compliance fee.
A processor may pass on a PCI compliance fee to a merchant. Review the list of fees that a processor charges when shopping for a payment processor. If you find out that the processor does charge a compliance fee, be sure to find out if they offer recommendations that will get and keep you compliant. There are two types of compliance fees that could be passed down to you: PCI non compliance fee and PCI compliance fee.
PCI non compliance fee
When a business fails to provide proof that it meets PCI-DSS requirements, its processor may charge them a PCI noncompliance fee. These compliance fees are basically a penalty for not meeting the regulations agreed upon in the contract. As previously mentioned, some processors will provide some services in exchange for this fee. These services come in the form of support or guidance on how to become compliant.
Use the self-assessment questionnaire from the PCI Standard’s website to help you figure out if your business is compliant. You may receive some consulting when you are charged a PCI noncompliance fee. Even if you’ve paid the fee and taken the guidance, it doesn’t mean your business is completely compliant with regulations. Ensuring you’re practicing safe practices when it comes to customer information is the ticket to staying compliant. After all, the PCI fee is just another expense to your business if you choose to ignore best practices.
PCI compliance fee
Another PCI fee that some payment processors charge is a compliance fee. As you may have guessed, a PCI compliance fee is an added service for PCI compliance. These services will vary but some of the most common include:
- Providing ongoing support – Consulting for handling changes to PCI compliance. This typically includes tech support to handle any questions or problems that may occur.
- Running security scans – As part of PCI compliance, a merchant must run at least one security scan every quarter. An Approved Scanning Vendor (ASV) must handle these scans. The PCI compliance fee that some payment processors charge may handle this scan on your behalf as part of the service. eCommerce merchants are required to have this scan performed.
- Cyber liability insurance – Covers associated costs and damages that occur in the event you do have an unfortunate data breach.
How Processors Set PCI Compliance Fees
Now you are probably wondering what to expect to pay for a PCI compliance fee. Payment processors are responsible for setting, charging, and collecting PCI fees. That means the cost will vary by processor.
Luckily, processors all calculate the compliance fee in a similar way. It goes something like this:
- The processor decides on its fee structure
- Once determined, they will then decide if PCI compliance will be included in their fee structure.
- If the processor chooses not to include it, then they determine the rate based on their target profit margin and the additional services that will be included.
How Compliance Fees Are Calculated
The fees are assessed in one of four ways:
- No fee, no services – PCI compliance is basically left up to you. You don’t get charged a PCI compliance fee, but you also won’t get any services to help maintain compliance.
- Additional fee, additional services – You will pay a PCI compliance fee and in return, you’ll get services to keep your business compliant.
- No fee, additional services – There’s no separate compliance fee and you get at least some services to help maintain your compliance.
- Additional fee, no services – In this case, you get charged a PCI compliance fee and get no services in exchange. Avoid payment processors who use this approach.
The PCI compliance fee will be charged based on how the processor handles billing. This means you can expect to be charged monthly or annually for this fee. Look at your current credit card processing fees statement and review how your processor is charging you.
How to Avoid PCI Non Compliance Fees
As a business owner, it’s in your best interest to avoid having to pay for extras like a PCI noncompliance fee. After all, the potential security breaches posed by non-compliance represent a risk to your business and customers. The self-assessment questionnaire mentioned earlier is a great way to find out where your business needs improvement in payment security. Here are some security recommendations from the PCI Security Standards Council to use as a guide below:
- Train your employees about security and protecting cardholder data
- Change all default passwords on devices and use strong passwords
- Use verified payment software
- Do not store sensitive cardholder data on paper or on computers
- Protect your network and PCs by installing a firewall
- Follow the PCI Data Security Standards
- Password protect your wireless router and use encryption
- Use only approved PIN entry devices
- Routinely check your PIN entry devices and PCs for skimming devices or malware
The payment processor your business works with should be PCI compliant too. Check and verify their credentials before signing up with for their services. Working with the right provider will help you to avoid paying an unnecessary fee.
Keeping up to date with PCI compliance is easier when you partner with the right payment processor. Only work with a payment processor that is PCI compliant so you know you can trust them with your customer’s sensitive information. Although as a business owner you may want to avoid paying PCI compliance fees, having an expert on your side can help you get and keep your business compliant. Because your customers’ security should be top of mind in everything you do.