PCI Compliance Fees: What They Are, and What To Do About Them
In the past year, I've had quite a few merchants ask me about this new PCI Compliance fee that's been popping up on their statements. Sometimes it comes in the form of an annual fee ($99+/year), and other times it can be a monthly fee ($19.95/month). In some rare cases, you might be seeing both an annual fee and a monthly fee.
For merchants that don't understand PCI compliance, the PCI compliance fee looks like just another garbage fee tacked on by their processor to earn them even more profit. The truth, however, is somewhere in the middle.
There's a great two part series on GreenSheet.com that I highly recommend you read (here's part 1, and part 2). GreenSheet.com is an "insider" website for the credit card processing industry. It's what your processor/provider, and their sales reps read on a regular basis. It's also a great way for you to learn about the business from their point of view. If you read the two part article, you'll probably understand more about this PCI compliance fee then about 90% of your peers.
The title of that Green Sheet article is "What does a merchant get for a PCI fee?" That question is the single most important inquiry that all merchants should be asking from their credit card processor.
What type of service or product are you getting by paying this extra fee?
Since there's so much misinformation around PCI compliance, the sector is ripe for illegitimate charges. Please don't be one of those business owners that gets charged without receiving anything of value in return.
So what are the possible services or products that your provider might be offering in return for said fees? Let's review them below...
The non-compliance fee is pretty self-explanatory. Your processor charges you a monthly fee for not being compliant with the PCI DSS standards. The fee usually ranges from $5 to $19.95, with some processors charging as much as $30 per month. It provides no value, and only serves as a blunt reminder that your processor doesn't have any type of proof that you are compliant.
From the Green Sheet article...
What about those charging a 'noncompliance fee'? Does that means that the [merchant] customer is not PCI compliant, and instead of being [brought] to compliance or shut down they get a free pass as long as they pay $xx.xx/month? "Sounds like a cop giving out tickets to drunk drivers instead of taking them in.
This fee can and should be easily removed by becoming compliant. Ask your processor exactly what you need to do to become compliant, then...become compliant. There's no reason why they should be charging you a "non-compliance" fee if you have taken all the steps to get compliant. If they continue charging you a non-compliance fee even after you've met their requirements, then it's time to switch to a new processor.
Data Breach Insurance
Some processors offer "Data Breach" insurance to their merchants for a monthly/annual fee. This would be valuable if the insurance was foolproof, but it's not..
What makes this topic so polarizing is the magnitude of liability and the uncertainty as to who ultimately owns the liability. To wit, when an ISO or acquirer assesses a monthly PCI fee that includes insurance, who is liable if, after a breach, the insurer declines the claim?
So, in a nutshell, you're paying a monthly fee for insurance that may or may not cover you in the event of a data breach? The simple fact that an insurer can "decline the claim" should be reason enough for you to be leary of data breach insurance.
If you're being charged for data breach insurance, you should ask your processor for all the details or terms. If you're not happy with the terms, or your processor doesn't provide them to you, then start looking for a new processor
This is the most legitimate of all the fees charged, and it's usually in the form of an annual fee. If your processor is regularly contacting you, helping you, educating you, and offering you scanning services, then they have every right to charge you a compliance fee, because they're offering you something in return. The problem is that not many processors hold up their end of the bargain, yet still charge you this annual fee. What's more is that most of the time, your processor will overcharge you for services that you could get for less, if you just took the time to learn about PCI compliance yourself.
In some markets, the person with more information usually has the upper-hand. PCI compliance is a market where education pays off. Even if you have to spend a whole weekend learning about this stuff, you'll be much better off then your less informed counterparts. You'll probably end up paying less in fees as well.