Online merchants are paying a $30 monthly fee for not being PCI Compliant - Are You? Are you being charged? Many online credit card processors are now charging merchants monthly fees for not being PCI Compliant. Most haven't even caught onto this fee because they are not notified, don't receive paper statements, and never review their online statement in its entirety. Check your statements for this fee or talk to your credit card processor if you suspect this fee is being added to your bill. Why the PCI Compliant Fees? According to James Hussher's ezine article "What is This New PCI Compliance Fee My Credit Card Processor is Charging Me?:" "PCI stands for Payment Card Industry. DSS stands for Data Security Standard. The credit card issuers have suffered huge losses due to credit card fraud and they have decided to take new steps to prevent as much of that as possible. These steps include coordinating with merchants to establish and enforce new credit card number protection strategies including the better encryption of credit card numbers when transmitted during a sales authorization by a merchant, and storage of customer credit card data afterward." Due to the risks involved for processors, expect to see the possibility of this fee as a part of most payment processing plans going forward. You may be able to dodge this fee for the short term, but a better solution is to make sure your site is compliant. A few savvy payment processors are touting the fact that they don't levy this fee - as always - be sure to do full a full apples-to-apples investigation of their service offerings and all of their other fees before jumping to a new provider. What's a Merchant to Do? Don't go canceling your merchant account or trying to switch to another processor who does not or will not charge you this compliance fee, because you are going to have this fee from now on, regardless of which processor you are with. Some processors are supplying their merchants with the results of the PCI security scan of their site, alluding to the fact that the listed "infractions" are resolved, the fees will stop. In most cases, your web developer or ecommerce service should be able to remedy any true compliance issues. Most of the time, this requires making sure best practices are followed and your software versions are up to date. The only tricky part is when the bank adds in their own risk factors and labels them as PCI issues - these need to be addressed with the processor and the 3rd party scanning service directly. A business owner I spoke with today, called his payment processor with specific questions re: the scan results. He was shuffled to the third party scanning service. The customer service rep at the scanning service had no idea how to answer his technical questions. And that's where the conversation remains to this date - the scanning service can't answer his questions, he can't remedy "infractions" he doesn't understand, and the processor keeps charging the fees Some merchants are being prompted to download and install PC-based scanning software in order to be "compliant". First of all, never install anything without doing your homework. In most cases scanning software alone will not "automagically" make you compliant. If you are in doubt (and I highly recommend being in doubt) check with your processing company, your web developer, or your e-store provider before downloading and installing anything. The Bottom Line - Compliance isn't Optional As a merchant, your true goal should be to ensure that your site is PCI compliant. Not just to avoid the monthly fees, but to protect yourself against lawsuits and losses caused by security breaches and lost clients. To become and remain compliant with PCI DSS: 1. Understand what PCI DSS is and how your site complies or doesn't comply - ask your Web Developer to explain this to you, or visit: http://usa.visa.com/merchants/risk_management/cisp.html http://pcianswers.com/ http://www.mastercard.com/us/sdp/index.html https://www.pcisecuritystandards.org/ 2. Keep your software up to date. If you are using a hosted e-commerce site, this should be done for you. If you have a custom e-commerce application, subscription-based CMS, and/or integrated website, check with your Web developer. It's not just shopping cart software either. If you site includes a Blog section, and Word Press is not up to date - this will count against your compliance. 3. You may be offered a link to a Self-Assessment Questionnaire (SAQ) in your merchant account statement this month or very soon. The questionnaire will tell security departments how you process credit cards and from your answers you will receive instructions as to any further steps you need to take, if any. Sherrin Bull is VP of Marketing for CommonPlaces e-Solutions, working with clients to develop digital media strategies specific to their online businesses and e-commerce applications. Need Help? Any time you process online payments, perform recurring billing (subscriptions), or collect personal information about your members, security and compliance need to be primary concerns. CommonPlaces develops world-class e-commerce applications and subscription-based content sites for F500 companies. Our experience has proven invaluable to our clients with PCI DSS and application security concerns. Contact us for a friendly, no pressure conversation.