PCI Compliance Fees: What They Are, and What To Do About Them

pci-compliance-feeHave you noticed a PCI compliance fee on your statement lately? Want to know what it’s for? Want to know if it’s legit? Want to know how to get rid of it? Then, keep reading…

In the past year, I’ve had quite a few merchants ask me about this new PCI Compliance fee that’s been popping up on their statements. Sometimes it comes in the form of an annual fee ($99+/year), and other times it can be a monthly fee ($19.95/month). In some rare cases, you might be seeing both an annual fee and a monthly fee.

For merchants that don’t understand PCI compliance, the PCI compliance fee looks like just another garbage fee tacked on by their processor to earn them even more profit. The truth, however, is somewhere in the middle.

There’s a great two part series on GreenSheet.com that I highly recommend you read (here’s part 1, and part 2). GreenSheet.com is an “insider” website for the credit card processing industry. It’s what your processor/provider, and their sales reps read on a regular basis. It’s also a great way for you to learn about the business from their point of view. If you read the two part article, you’ll probably understand more about this PCI compliance fee then about 90% of your peers.

The title of that Green Sheet article is “What does a merchant get for a PCI fee?” That question is the single most important inquiry that all merchants should be asking from their credit card processor.

What type of service or product are you getting by paying this extra fee?

Since there’s so much misinformation around PCI compliance, the sector is ripe for illegitimate charges. Please don’t be one of those business owners that gets charged without receiving anything of value in return.

So what are the possible services or products that your provider might be offering in return for said fees? Let’s review them below…

The non-compliance fee is pretty self-explanatory. Your processor charges you a monthly fee for not being compliant with the PCI DSS standards. The fee usually ranges from $5 to $19.95, with some processors charging as much as $30 per month. It provides no value, and only serves as a blunt reminder that your processor doesn’t have any type of proof that you are compliant.

From the Green Sheet article…

What about those charging a ‘noncompliance fee’? Does that means that the [merchant] customer is not PCI compliant, and instead of being [brought] to compliance or shut down they get a free pass as long as they pay $xx.xx/month? “Sounds like a cop giving out tickets to drunk drivers instead of taking them in.

This fee can and should be easily removed by becoming compliant. Ask your processor exactly what you need to do to become compliant, then…become compliant. There’s no reason why they should be charging you a “non-compliance” fee if you have taken all the steps to get compliant. If they continue charging you a non-compliance fee even after you’ve met their requirements, then it’s time to switch to a new processor.

Data Breach Insurance
Some processors offer “Data Breach” insurance to their merchants for a monthly/annual fee. This would be valuable if the insurance was foolproof, but it’s not..

What makes this topic so polarizing is the magnitude of liability and the uncertainty as to who ultimately owns the liability. To wit, when an ISO or acquirer assesses a monthly PCI fee that includes insurance, who is liable if, after a breach, the insurer declines the claim?

So, in a nutshell, you’re paying a monthly fee for insurance that may or may not cover you in the event of a data breach? The simple fact that an insurer can “decline the claim” should be reason enough for you to be leary of data breach insurance.

If you’re being charged for data breach insurance, you should ask your processor for all the details or terms. If you’re not happy with the terms, or your processor doesn’t provide them to you, then start looking for a new processor

Compliance Support
This is the most legitimate of all the fees charged, and it’s usually in the form of an annual fee. If your processor is regularly contacting you, helping you, educating you, and offering you scanning services, then they have every right to charge you a compliance fee, because they’re offering you something in return. The problem is that not many processors hold up their end of the bargain, yet still charge you this annual fee. What’s more is that most of the time, your processor will overcharge you for services that you could get for less, if you just took the time to learn about PCI compliance yourself.

In some markets, the person with more information usually has the upper-hand. PCI compliance is a market where education pays off. Even if you have to spend a whole weekend learning about this stuff, you’ll be much better off then your less informed counterparts. You’ll probably end up paying less in fees as well.

Amad Ebrahimi
Amad has worked in the eCommerce and online marketing world since 2002. He started as an eBay seller, then slowly graduated to building & marketing his own websites and consulting others to do the same. He founded Merchant Maverick out of frustration with all the misinformation and shady tactics that he encountered when trying to find a merchant account for his and his client's businesses. He's the man behind most of the merchant account reviews, and articles posted on MerchantMaverick.com. Have any questions related to credit card processing? Talk to him.
Amad Ebrahimi
Leave a comment



    I also, found out that for a whole year I’ve been charged $19.99 for not filling out the
    monthly questionnaire.
    Does that mean that every month we have to fill out a questionnaire, or is it a once a year
    We only use the debit machine and for the most part we only use it for 6 months out of the
    year. Do I have to fill it out when we don’t use it?
    Thank you, Karen

    RatingNot Rated
    Tom DeSimone

    Hi Karen,

    The PCI Self Assessment Questionnaire (SAQ) must be completed annually. Depending on your business, you may also need to perform quarterly system scans. An Attestation of Compliance must be completed annually too. For small businesses that use a third-party to handle the actual card data and storage, this process is very quick and easy (an hour or two of your time), and gets quicker and easier every year. There is nothing that you have to do on a monthly basis.

    Hope this helps,

    RatingNot Rated

    I have a small business with less then200 credit card transactions per year through the card terminal only.Security metric Company bother me every year as well as raise they fee to $170 .What I should do to stay PCI compline and not to pay this money?

    RatingNot Rated
    Tom DeSimone

    Hi Svetlana,

    See this page for information on determining your compliance. Depending on your business, maintaining compliance can be either very easy or very difficult. In some cases, it will make sense to pay a company like Security Metrics to help you with this. You might also consider talking to your merchant account provider to see if they have a less expensive option to help you maintain compliance. Otherwise, just check out the above link. It will direct you to the Self Assessment Questionnaires (SAQs). There is a document in there that will help you figure out which questionnaire you need for your business type.

    Good luck,

    RatingNot Rated
    Mike Lamm

    I am in the process of closing my account with my current processor. They have been charging me a annual fee of $95.00 and a monthly fee of $29.95 for the past 2 years. These fees are not listed on my monthly statement, I discovered them on my bank statement. Is this legal?

    RatingNot Rated
    Tom DeSimone

    Hi Mike,

    Those fees should definitely have been listed somewhere on your statements. They don’t always make the fee easy to find, but it’s almost always there. I’m not sure if there is a law against assessing charges without listing them, but I can tell you for sure that the industry standard is to always list all fees on monthly statements. Scheduled fees like PCI are usually listed toward the bottom.

    Now if the fee was not listed on the fee page of your contract, or elsewhere in the contract, then it is certainly not legal. But most processors are sneaky, not stupid. They work around laws to increase profits, but don’t generally blatantly break them. So my guess is that you won’t have a legal case against them.

    But, that said, the $29.95 monthly fee is probably a PCI non-compliance fee. You might have a chance of getting some of that money back, since it’s really just a penalty for not doing the PCI self-assessment. The annual $95.00 is less likely to be refunded. And anything older than six months is unlikely to be refunded in any case, unless it was a fee charged by mistake.

    If you can’t get this resolved through customer service, try the Better Business Bureau. It depends on who your processor is, but sometimes refunds are possible. I know how frustrating this sort of thing is. Non-disclosure of fees is entirely unethical. Please check out our best-rated providers when you’re ready to switch.

    Good luck and take care,

    RatingNot Rated
    Jesse James, Esq.

    My firm desires to file a Class Action Law Suit against World Pay for Florida consumers pursuant to Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) (F.S. §501.201). World Pay has been charging consumers with PCI Non-Compliance fees without employing adequate procedures to alert consumers of the need to become compliant. Additionally, World Pay has failed to adequately inform or notify consumers who end up being Non-Compliant that they are in fact being charged an additional fee each month for remaining out of compliance. World Pay has chosen to slip the Non-Compliance fee into its billing with the hopes that it will go undetected by busy small business owners for as long as possible. Small businesses have been charged with PCI Non-Compliance charges for several months without a single written notice or phone call to alert the owners of their non-compliance or the fact that they are even being charged an additional fee for being non-compliant. World Pay has employed a “catch me if you can” strategy in its practices and procedures regarding scamming consumers out of $19.95 per month for as long as they can keep it going. Once the issue is finally detected the small business have in most cases paid out hundreds of dollars in non-compliance fees. This usually occurs with business who pay their monthly payment through direct draft and the amount of $19.95 is so insignificant it goes undetected for several months before it is finally discovered. Once discovered the small business owner is left with a “to bad so sad” response and a suggestion that they should log into their online account more frequently because any notifications will only be found that way. Florida consumers who would like to participate in this proposed Class Action Law Suit should leave their information through the “contact us” link on our website. http://www.jessejameslawfirm.com

    Kelly Thrall

    Thank you for your article. I have been charged these fees for the last 19 months and have questioned my merchant services provider over and over. During the time I have been growing my business I have not been able to devote much time to learning about this more but now I am wondering if it’s possible that re-coop these fees for having been charged them. I know that may be a long shot but had I not found something on my account a month after starting my services, I would have been over charged another $10 a month. When I found the “other” compliance fee, that told me it was optional. When I signed up for the agreement, I was not told it was optional. Just feeling scammed and when you are a small business trying to get off the ground, the last thing you want is a bank already making millions taking your hard earned profit.

    Tom DeSimone

    Hi Kelly,

    In my experience, providers will sometimes issue refunds for PCI non-compliance fees, but rarely for PCI compliances fees. This is because the compliance fees usually come directly from the processor (but not the credit card network), so the account provider often does not have the power or flexibility to refund those fees. Non-compliance fees are often not issued directly from the processor, so there is more flexibility. If you want to try to get a refund and aren’t having luck with your provider’s customer service, try going to the BBB with the complaint. They might be willing to give a partial refund.

    Good luck!

    RatingNot Rated

    We switched to a new credit card company last year(march 2013) and this past month i noticed my rates where higher even tho our credit card amounts where the same. trying to figure out why, i printed all my statements and I was instantly pissed! I have been paying a non compliance fee for over 9 months and not one time was i notified by anyone about this. I called my sales rep and he told me that it is a required fee from Mastercard/visa(which is what he uses that as an excuse for every fee we get) and that i was contacted both by the credit card company and them (I gave him a few choice words for that, bc i never miss anything, and its hard to believe i would have missed two compliance notices)….anyways, I finally became complaint a couple days ago, but i am wondering also about the “annual fees” On top of being charged 19.99 a month on both of my accts, I was also charged a ” Regulatory/Complaince fee of $90 and a PCI complaince fee of $90. One was in march of this yr and may of this year. Isnt this the same fee??

    RatingNot Rated
    Scott Ryals

    I do maybe 20 transactions a year. I call them in verbally over the phone. Unless someone at the NSA taps my phone – what exactly is PCI doing for me? If I average the fee across the number of transactions I do per year the fee is sometimes more than the damned charge. From my point of view this is a stinking pile of bullsh*t.

    RatingNot Rated
    Tom DeSimone

    Hi Scott,

    While the steps your processor takes to ensure PCI compliance are valuable to you, since you must remain PCI compliant as per the credit card network guidelines even if you only do telephone orders, I 100% agree with you that PCI fees are often just a way for processors to cash in. A merchant in your position should not be paying the $80+ annually that is the industry-standard for PCI compliance. In most cases PCI fees can be waived during contract negotiations, and many providers simply do not charge this sort of fee.

    With a transaction volume that low, you might consider using a mobile pay-as-you-go processor. You don’t really need a full merchant account to do only a couple dozen transactions annually. Check out Flint, for instance.

    Good luck!

    RatingNot Rated
    Frank Pulkownik

    I am being chargee $49.99 per month for non compliance fee. I need to call. Can I demand my money back?

    RatingNot Rated
    Tom DeSimone

    Hi Frank,

    $50 monthly for non-compliance is very steep. You should check your contract and fee schedule to make sure that amount is correct. Assuming it is in your contract, you can’t “demand” your money back legally, but you can certainly ask for it back firmly. If you explain that you were not aware of this fee and would like a refund, your provider will almost certainly offer a partial refund at least. Just for the sake of curiosity, may I ask who you use for processing?

    RatingNot Rated
    Dr Gina Delia

    Do you know anything about retriever credit card processing in NY. I tried to close my acct but it was auto renewed. I was told to close it someone must come to my office and I still can’t find out if there is a fee

    RatingNot Rated
    Dr Gina Delia

    What is the difference between PCI compliance service and Platinium PCI service which I pay 90.00 annually to Retriever

    RatingNot Rated

    Is there a fee to be compliant or can you D.I.Y and if there is a fee, is it payable annually??

    RatingNot Rated
    Amad Ebrahimi

    Dave, this really depends on the processor. Some of them charge an annual fee, some charge a monthly fee, and others don’t charge at all. As a rule, the monthly fee is usually for non-compliance. The annual fee is usually charged as a way to cover the processor’s costs for informing their customers and making sure they’re compliant.

    RatingNot Rated

    Thank you SO much for this article–very concise and very helpful. I run a very small business and am just starting the mobile credit card gig. Eeek. I’ve bookmarked this site as a must read.

    RatingNot Rated
    Pat Roche

    I was charged £30 per month for over 7 months before I printed off my statements for my tax return back in January…

    Yes, I had to fill out a form to become compliant and hopefully they have stoped charging me now (I haven’t gone back online to view my statements, too busy with getting the job done…)
    I did try to complain but they said they had advised their merhants on their web site…
    I strongly advise you to go on line now and review your statements and even if you haven’t been charged fill out the form!

    RatingNot Rated
    J Curtis

    Tank you so much for your article. I have noticed a charge of $99.00 on my statement for pci fees and now 19.95 per month.

    RatingNot Rated
    Christine Roy

    I just want to thank you for providing this information. My head is so filled with different companies’ junk info that I sometimes don’t know which end is up.

    I am very much afraid of this venture of mine into the world of internet retail. I’ve already been scammed out of $300 and it is frightening to realize just how many deceitful companies there are out there. When a person is all alone in opening a store etc. it can be devistating to discover that you’ve been “duped” despite trying to research every little thing that has to be done just to open my virtual doors. Thank you again for information that is not self-serving.

    RatingNot Rated
    Amad E.

    No problem Christine, we’re glad to help. If you have any questions, you can always contact us directly.

    RatingNot Rated

Leave a Reply


Comment moderation is enabled. Your comment may take some time to appear.
Please read the "User Review and Comment Policy" before posting.