In a previous entry we explained the basics behind what PCI Compliance is and the process required by merchants to remain compliant. While we explained that there are certain penalties associated with being non-compliant we neglected to cover how most merchant providers are currently handling the situation in relation to cost and billing.
By now, almost every merchant is being charged some sort of PCI compliance fee whether they know it or not. We were able to get a number of real statements from the major merchant providers and found the following: Elevon ($135), First Data ($119.75), North American Bankcard ($79 unable to confirm if this monthly, quarterly or annually), Soveign Bank ($89 and /or $10 a month), and so on and on.
What is this charge for?
Because the PCI Security Council has mandated that all banks, processors, gateways and merchants must be PCI compliant for 'end to end' security, the processors have taken on extra costs to maintain compliance on their end and thus place this fee upon the merchant.
What do I as the merchant get out of paying these fees with my specific merchant provider and why should I pay them in the first place?
The latter is answered quite easily. If you don't pay you won't process with this company anymore. That's how serious PCI compliance is. The PCI Security Council has to deal with millions of cases a year involving non compliant companies. Just Google 'TJ Maxx Hacked" or "Heartland Hacked" for examples on the devastating effect security breaches can have on the entire system. To date, the cost associated with this far outweighs the costs of becoming PCI compliant. Your option is to either pay it or find the one or two companies that don't charge compliance fees (more on this in a minute).
The former is a very important question to ask as some merchant providers include the scanning service with their compliance fees. As a merchant, you are required to complete a full scan of your systems at least once a quarter. Third party scanning companies can run anywhere from $200-$1000 a year for the scanning services on top of the annual PCI compliance fees. Ideally, getting a processor like iPayment who includes the scanning services with their cost is the better way to go. For example, iPayment charges $129 a year for their PCI compliance costs. They include with this the scanning service provided by their partner ComplyGuard.
Is there a way to NOT pay any PCI compliance fees?
Unfortunately it has become very difficult to find a merchant provider who doesn't charge something for PCI compliance. They do however exist and with a little perseverance you can still find them. PayJunction for example does not charge anything for PCI compliance. While their systems are fully compliant they have waived PCI compliance fees as an added courtesy to their customers. It is still the merchant's duty to be compliant on their end by getting quarterly scans. However, you can assume that responsibility at your own risk.
Currently there are no regulated means for the card association to know if you have done the scans or not. If you do happen to run across a random security audit and are found to be non-compliant you will be fined and potentially shut down. However, the current chance of this happening is very small. Either way, we recommend doing the scans so that you aren't open to a potential hacker. As noted in the cases above, the consequences of a security breach can be dire for any business.
For more information about PCI Compliance or PayJunction's services please contact us today.
