PCI Compliance Fees: A Fair Processing Charge Or A Junk Fee?
Merchant services providers are notorious for tacking on all kinds of additional fees for their services, often not disclosing them during the sales process and leaving it to merchants to find them buried somewhere in the pages and pages of fine print that make up their contracts. One fee that raises a lot of questions from merchants is the PCI Compliance Fee. What is the fee for? What services does the provider offer in exchange for it? Most importantly, is there any way to get out of paying it?
In this article, we’ll discuss PCI compliance, why it’s important, and how your merchant services provider treats it. We’ll look at the numerous ways in which providers charge (or don’t charge) for PCI compliance services, and what kind of services you’ll receive. We’ll also discuss the dreaded PCI non-compliance fee, and how you can avoid ever having to pay this fee. Check out our merchant account comparison chart to get the full picture on fees—including PCI fees—from some of the best payment processors in the industry.
Table of Contents
Let’s start with the basics. PCI compliance refers to compliance with data security standards set out in the Payment Card Industry Data Security Standard (PCI DSS). These standards are designed to ensure that your customers’ credit card data is handled safely and securely, with the goal of minimizing any chance of a data breach by hackers or other criminals. Compliance with PCI DSS standards is required by the credit card associations (i.e., Visa, MasterCard, etc.), but enforcement is generally left up to the individual processors.
Requirements for being PCI compliant are complex and vary widely from one business to the next. For example, a retail-only business that doesn’t use a payment gateway might have relatively few requirements to meet. At the same time, an eCommerce business that processes all sales over a payment gateway and uses a customer information database to store customer payment method information would have far more extensive requirements. Unfortunately, merchant services providers don’t always take these distinctions into account when setting PCI compliance fees, preferring to charge all merchants the same fee regardless of their actual compliance needs.
The credit card associations have divided businesses into four levels of risk based on how many transactions they process annually. To figure out which risk level your business falls under, check out our article Determining Your Merchant Risk Level for PCI Compliance. Most small businesses will fall under Level 4, which is defined as “Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.” You’ll also want to review our Quick Guide To PCI DSS Compliance For Small Merchants (Level 4), which goes into more detail about the specific actions you’ll need to take to attain PCI compliance.
While many of the required actions are accomplished by your provider, there are also some actions that you will have to perform yourself. For most merchants, the most important action you’ll need to take is to complete the Self-Assessment Questionnaire (SAQ). This questionnaire needs to be updated on an annual basis, and failure to accomplish it is perhaps the most common reason for merchants to be charged a PCI non-compliance fee by their providers.
The PCI Security Standards Council (PCI SSC) publishes several different forms of the SAQ for different types of businesses. These forms are described on their website, which also includes links to instructions and documents you’ll want to refer to when filling out the SAQ. For more details on PCI compliance requirements, please see our article Everything You Need to Know About PCI DSS Compliance.
How Processors Treat PCI Compliance
There are a number of different ways your merchant services provider can approach PCI compliance, and it seems like every provider does it differently. These approaches involve two variables: 1) whether your provider offers any services for PCI compliance, and 2) whether your provider charges you a PCI compliance fee. This results in four possible approaches to PCI compliance, and we’ve found all four methods being used throughout the processing industry. These four possible approaches include the following:
- No fee charged, no services provided: Under this approach, your provider basically leaves PCI compliance up to you. You won’t be charged a PCI compliance fee, but you won’t receive any services to help you maintain compliance, either. This approach works best for experienced merchants who are comfortable handling their own PCI compliance requirements.
- No fee charged, services are provided: This approach is the most popular with merchants, for obvious reasons. You receive at least some services that help you maintain PCI compliance, but you don’t pay a separate fee for them. One of our favorite providers, Helcim (see our review) uses this approach. Of course, nothing is ever really free in the processing industry, and in most cases, providers using this approach are actually bundling the PCI compliance fee with your monthly account fee.
- Fee charged, services are provided: This is the most common approach used by providers. You’ll have to pay a fee, but you’ll receive PCI compliance services in exchange for that fee that help to keep you compliant. As long as the cost is reasonable, and the services provided actually help to keep your account secure, this is a fair and sensible approach.
- Fee charged, no services provided: Unfortunately, there are some unscrupulous providers out there that will gladly charge you a PCI compliance fee, but don’t offer any services in exchange. Not only are you on your own when it comes to maintaining compliance, but you’re also being ripped off by having to pay a “junk” fee that doesn’t provide anything other than increased profits to your provider. Obviously, we recommend that you steer clear of providers that utilize this approach.
If your provider does charge a PCI compliance fee, it will be billed on either an annual or monthly basis. Most providers seem to prefer to charge a yearly PCI compliance fee. While this might, in some cases, result in a lower overall cost than a monthly fee, it also has a distinct disadvantage. If you close your account after you’ve paid your annual fee, there’s usually no proration, and you won’t receive a refund on the unused portion of the fee. Providers that require long-term, multiyear contracts typically charge an annual fee, while those offering month-to-month billing with no long-term contract more frequently charge a monthly PCI compliance fee. While the amount charged for PCI compliance can vary wildly, the industry average is around $120.00 per year. As noted above, providers that offer PCI compliance services, but don’t charge a discrete fee for them usually include the cost of providing those services in your monthly account fee.
Unfortunately, sales representatives for merchant services providers commonly fail to disclose the existence of a PCI compliance fee when selling merchant accounts. You’ll want to bring this issue up when negotiating the terms of your account. You should also review your contract documents to determine whether a PCI compliance fee is charged, and how much it will cost you.
PCI Compliance Services
If you’re going to have to pay a PCI compliance fee, it’s only reasonable that you should receive something of value in return. One common misconception about PCI compliance fees is that payment of the fee means that your provider will ensure that your account is fully compliant, and you don’t have to do anything. Unfortunately, this simply isn’t true. While robust PCI compliance services can take care of the more technical aspects of compliance, at a minimum, you’ll still have to complete the Self-Assessment Questionnaire (SAQ) and keep it updated.
Most PCI compliance services offered by providers fall into one of the following three categories:
- Security scans: This is the most basic compliance service your processor can provide you with, and it’s essential that it be included if you’re paying a PCI compliance fee. Security scanning services thoroughly check all aspects of your processing system, including your website, server, payment gateway, and any connected terminals or POS systems for viruses, Trojans, malware, and other potential security threats. Scans are required to be conducted on a quarterly basis, although some providers will scan your system every month.
- Data breach insurance: This is insurance that will reimburse you for any losses or claims resulting from a breach where your customer data is hacked or stolen. Data breach insurance is subject to policy limits and a number of exclusions, so there’s no guarantee that the insurer will accept your claim if you suffer a breach. You’ll want to review your insurance policy to determine what specific incidents it will or will not cover. While the possibility of a denied claim can make this type of insurance seem like a waste of money, it’s certainly better than not having any insurance against a breach at all. Data breach insurance is particularly important for eCommerce merchants. One of our highest-rated providers, CDGcommerce (see our review) offers $100,000 in data breach insurance as part of its optional cdg360 security package. At $15.00 per month, it’s a worthwhile investment.
- Customer education and assistance: This is perhaps the most nebulous, but also most important, compliance service your provider can offer. What you want – and what some providers offer – is an in-depth knowledgebase to educate you about PCI compliance requirements and proactive assistance where your provider will contact you immediately if they detect anything amiss regarding your account’s security. Unfortunately, some providers offer only minimal services in this area, while still charging you a full PCI compliance fee. Beware of providers that offer just a minimal FAQ on PCI compliance or are quick to start charging you a PCI non-compliance fee without notifying you that your account is out of compliance.
PCI Non-Compliance Fees
A PCI non-compliance fee is nothing less than a fine or penalty for failing to keep your account compliant with PCI DSS standards. It’s only imposed if you, the merchant, have neglected to do something on your end to keep your account compliant. Failure to complete or maintain the Self-Assessment Questionnaire (SAQ) is the most common reason for a PCI non-compliance fee to be imposed.
The biggest problem with the PCI non-compliance fee is that it doesn’t do anything to rectify the situation or bring your account into compliance. Your provider doesn’t offer any additional services for this fee, and as such, we consider it to be a “junk” fee. Unfortunately, your provider may impose a PCI compliance fee without notice to you, and they’ll continue to charge this fee every month until you bring your account back into compliance. PCI non-compliance fees vary from one provider to the next, but the industry average is about $20.00 – $30.00 per month.
As much as we don’t like this fee, the fact is that almost all merchant services providers will charge you a PCI non-compliance fee if you fail to keep your account compliant. This includes highly-rated providers such as Helcim (see our review) that don’t charge a PCI compliance fee. However, unlike most providers, Helcim will usually notify you if your account becomes non-compliant, and they’ll give you a 90-day grace period in which to rectify the situation before they start charging the fee. Unfortunately, most other providers won’t notify you at all, and will just start charging the extra fee until you notice it and bring your account back into compliance on your own. This is yet another reason why you need to carefully review your merchant account statement every month.
Can you be charged for both PCI compliance and non-compliance at the same time? Of course you can! In fact, if your provider charges you for PCI compliance and your account becomes noncompliant, you’re guaranteed to end up paying both fees simultaneously until you fix the problem. The bottom line on PCI non-compliance fees is that they’re easily avoided simply by keeping your account compliant. As long as you review your requirements and make sure you’re meeting them, you should never have to pay this fee.
Needing to maintain PCI compliance requirements is an inevitable part of having a merchant account. You’re going to have to meet those requirements regardless of how much (or how little) assistance you receive from your provider. Because PCI compliance policies and fees vary so much from one provider to another, you should carefully research your provider’s approach to PCI compliance before you sign up for an account. As we’ve noted, paying a reasonable PCI compliance fee is entirely acceptable as long as your provider is offering some actual services to keep you compliant. The situation you want to avoid is one where you’re being charged a PCI compliance fee, but aren’t receiving any compliance services.
It’s also critically important to review your contract thoroughly before you sign up with a new provider. While this is good advice in general, it’s particularly important in determining whether you’ll be liable for PCI compliance or non-compliance fees, and how much they’ll cost. As we’ve noted, sales representatives generally don’t disclose these fees unless you specifically ask about them first.
Of course, merchants also want to know if there’s any way to get out of paying for PCI compliance services. In most cases, the answer is no. PCI compliance fees are a standard feature of most merchant account contracts, and they generally cannot be waived by your sales agent. The exception to this rule is when your provider charges a “junk” compliance fee without providing any services. In this case, your sales agent may be willing to drop the fee to get you to sign up, as they won’t be providing you with any services regardless of whether you pay the fee or not.