Sunday, May 23, 2010

A Fee by Any Other Name: PCI Compliance Fee – What are you paying for?

Obviously, when it comes to accepting credit cards, nothing is more important than protecting your data. A security breach from processing credit cards can expose companies to fines, the inability to accept credit cards and the loss of your customer’s confidence -- and there is no question about it: credit card fraud and theft are on the rise.

But as a course of business, we are constantly reviewing competing credit card processing statements for our clients. Among many of the confusing or ambiguous “fees” our clients tend to pay, there is one that always strikes me as a pure payday for the some credit card processors: The PCI Compliance Fee.

It goes by other names of course, but it almost always has to do with
  • Payment Card Industry (PCI) compliance to Data Security Standards (DSS); and
  • Giving the Merchant the impression they are in compliance with those standards.

But what if it is a false impression? Now no one is saying that secure data in not important. Read the papers, watch TV and you know that data and identity theft is on the rise. And as small merchants, you must be more diligent in how you are handling credit card information. More and more, we see a PCI Compliance Fee as just another revenue bucket for most processors. These fees have slowly been creeping up over the past two years. Some merchants are paying up to $30 a month for the privilege of seemingly being complaint.

But ask yourself:
  • “Does paying this fee to your processor make you complaint?”
  • “If you have a security breach and it is deemed that you are not compliant, are you shielded from exposure because you are paying this fee to your processor?”
  • “And, are you typically given the tools from your processor to make sure you are in good stead with the Payment Card Industry?”
And the answers are:
  • No
  • No
  • And sometimes, but not very often
So at the end of the day, what value are you getting from paying this fee? In most cases, not much.

The issue with this fee is that it has become mandatory for many processors – many times without the Merchant’s knowledge or approval. Consider this: If a Merchant has equipment that is PCI complaint, did a self-assessment and puts best practices in place to mitigate theft or fraud, should a Compliance Fee be assessed?

No, it shouldn’t; but yes it is.

Like other processing fees, a PCI Compliance Fee seems to come down from the top. It’s a non-starter and non-negotiable. You either pay it or move on. As a small business owner, you need to always get value on the expense line. If you are paying for something, there needs to be a return. But with this particular fee, it can become more problematic. Many merchants think they are paying for protection. They feel exposure is mitigated because they are paying for the compliance. Whether it’s through an actual desire to be compliant, inertia or allowing for false sense of security, the real work to become PCI Compliant rests squarely on the shoulders of the Merchant.

Paying a fee does not make your business more secure. Running your business smartly and with common sense always trumps that false sense of security.

No comments:

Post a Comment


| More