Many online credit card processors are now charging online merchants a $30 monthly fee for not being PCI Compliant. Many companies aren't even aware of this fee due to the fact that they aren't notified, or don't receive paper statements, and/or never review their online statement in its entirety. Make sure you always check your statements or talk to your credit card processor if you suspect this fee is being added to your bill.
Why the PCI Compliant Fees?
According to James Hussher's ezine article, "What is This New PCI Compliance Fee My Credit Card Processor is Charging Me?", he states, "PCI stands for Payment Card Industry. DSS stands for Data Security Standard. The credit card issuers have suffered huge losses due to credit card fraud and they have decided to take new steps to prevent as much of that as possible. These steps include coordinating with merchants to establish and enforce new credit card number protection strategies including the better encryption of credit card numbers when transmitted during a sales authorization by a merchant, and storage of customer credit card data afterward."
Due to the risks involved for processors, expect to see the possibility of this fee as a part of most payment processing plans moving forward.
Although you may able to dodge this fee in the interim, a better solution would be to make sure your website is compliant. A few savvy payment processors are touting the fact that they don't levy this fee. As with anything, make sure you do a full apples to apples comparison of a few vendors. Review their service offerings and all other fees before jumping to a new provider.
What's an Online Merchant to Do?
First off, don't panic. You shouldn't go canceling your merchant account or trying to switch to another processor who does not or will not charge you this compliance fee, because you are going to have this fee from now on, regardless of which processor you are with. Some processors are supplying their merchants with the results of a PCI security scan of their site, alluding to the fact that if the listed "infractions" are resolved, the fees will stop. In most cases, your web developer or ecommerce service should be able to remedy any true compliance issues.
Most of the time, this requires making sure best practices are followed and your software versions are up to date. The only tricky part is when the bank adds in their own risk factors and labels them as PCI issues - these need to be addressed with the processor and the 3rd party scanning service directly. A business owner I spoke with today, called his payment processor with specific questions re: the scan results. He was shuffled to the third party scanning service. The customer service rep at the scanning service had no idea how to answer his technical questions. And that's where the conversation remains to this date - the scanning service can't answer his questions, he can't remedy "infractions" he doesn't understand, and the processor keeps charging the fees.
Some merchants are being prompted to download and install PC-based scanning software in order to be "compliant". First of all, never install anything without doing your homework. In most cases scanning software alone will not "automagically" make you compliant. If you are in doubt (and I highly recommend being in doubt) check with your processing company, your web developer, or your e-store provider before downloading and installing anything.
The Bottom Line: BEING PCI ComplianT isn't Optional
As a merchant, your true goal should be to ensure that your site is PCI compliant. Not just to avoid the monthly fees, but to protect yourself against lawsuits and losses caused by security breaches and lost clients. To become and remain compliant with PCI DSS:
1. Understand what PCI DSS is and IF YOUR WEBSITE complies.
You can simply ask your Web Developer to explain this to you or you can visit various resources to learn more:
2. Keep your software up to date.
If you are using a hosted ecommerce site, such as Shopify, BigCommerce, X-Cart or Volusion, this should be taken care of for you. If you have a custom e-commerce application, subscription-based CMS, and/or integrated website such as Magento, OpenCart, or WooCommerce, make sure you check with your Web developer. Be aware though that it's not just shopping cart software. If your website includes a blog section that is integrated with WordPress and isn't up to date, this will count against your compliance.
3. Take a PCI Self-Assessment Questionnaire.
You most likely will see on your merchant account statement a link to a PCI Self-Assessment Questionnaire, or PCI SAQ. The questionnaire will tell security departments how you process credit cards and from your answers you will receive instructions as to any further steps you need to take, if any.
Credit card security and compliance need to be your primary concerns if you process online credit card payments, perform recurring billing (subscriptions), or collect personal information about your clients. Here at CommonPlaces Interactive, we develop world-class ecommerce applications and subscription-based content sites for many Fortune 500 companies. We've been working with clients to develop digital media strategies specific to their online businesses and e-commerce applications. Our experience has proven invaluable to our clients with PCI DSS and application security concerns. Contact us for a friendly, no pressure conversation.