How To Avoid PCI Non-compliance Fees From Your Merchant Provider
In order to ensure a secure environment for cardholder information and data, the Payment Card Industry Data Security Standards also known as PCI DSS were developed. In this way, all companies that deal with credit card transactions, process and transmit credit card information must comply with PCI DSS requirements.
A good and cheap way to avoid the fee, is to go with a PCI Compliant Hosting plan from a reputable provider, such as one of Penguin Web Hosting’s PCI Compliant Plans. Penguin Web Hosting offers plans that meet PCI compliance for only $19.95/mo.
If the merchant who processes and transmits credit card information does not comply with PCI DSS requirements, this means that cardholder security and data protection are not ensured and the merchant may be fined. The issue of non-compliance with PCI DSS has been around ever since these standards were launched by PCI SSC (PCI Security Standards Council) in 2006.
Nowadays, cardholder security is a very important issue and due to the fact that starting with 1st of January 2011 the new version of PCI DSS 2.0 was launched, the need for PCI compliance has increased much more. Lately, the number of merchants being charged by their merchant provider for non-compliance has increased a exponentially, and as with all bank fees, the amount of the fee has been going up as well.
What is a non-compliance fee?
The merchant account provider can fine merchants for PCI compliance violations, and this is in addition to any fines assessed by the payment card industry if there is a breach. Usually, after a period of two or three months the merchant receives the fine and has to pay, and the fine or service charge you may call it, will appear every month until they are compliant, and pass a PCI compliance scan from an approved scanning vendor (ASV). These penalties are neither publicized nor easily discussed and will vary from merchant account provider to merchant account provider, but their impact on a small business can be huge. In this way, it is important and helpful to be accurately informed regarding your merchant account agreement, where the exposure to PCI non-compliance situations should be mentioned and explained.
How does PCI non-compliance work?
In order to understand how PCI non-compliance fees work it would be useful to understand the concepts of provider and non-compliance fee. Having this in mind, a provider represents any company that processes, stores or transmits cardholder information on behalf of another merchant. This type of company is known as a Service Provider by PCI guidelines.
In this way, the merchant will get fined for the PCI non-compliance situations and this will be communicated by means of the provider’s bills. Whenever an organization (whether it is a merchant, bank or service provider) does not comply with PCI compliances and requirements, the payment brand (VISA, MasterCard, etc), as well as your merchant account provider can fine the responsible member. The payment brands can fine an organization with up to $100,000 on a monthly basis for non-compliance violations, and your merchant account can fine you $20, $50 even $100 or more for simply not passing a compliance scan.
The amount of the PCI non-compliance fee depends on factors such as:
- The merchant level: level 1, level 2 or level 3;
- The payment brand (Visa, MasterCard, etc);
- The requirements or PCI standard provisions which were not followed;
- The violations on a yearly basis.
PCI non-compliance fees
The payment brands have the ability to fine organizations, merchants and providers for their non-compliance with PCI standards and requirements. The costs for PCI non-compliance usually involve fines, audit fees or credit card replacement situations but also other situations related to: brand damage, business loss from revenue, costs incurred by ending the relationship with a merchant. Such costs can dramatically affect a business. In the case of non-compliance there are many costs involved: financial costs, but also costs related to business loss, brand’s reputation or clients’ complaints.
The PCI DSS applies to all organizations, as well as the fees for PCI non-compliance. However, if in the PCI process there is involved a service provider, then there are some additional costs a merchant could pay to ensure his own protection against possible PCI non-compliance fees so that the impact upon his business would not be so dramatic.
How to avoid PCI non-compliance fees
To prevent PCI non-compliance fees, the best solution involves full compliance with the standards and requirements. However, even if compliance with PCI DSS requires time, efforts and costs, it is definitely a better solution as compared to the costs incurred by PCI non-compliance. Plus, by ensuring cardholder data protection, it also help increasing the customer’s trustworthiness and reliability related to the merchant’s services and practices.
By choosing to comply with PCI DSS this helps organizations prevent fraud at international level and strengthen internal control. In order to comply with PCI DSS it is required the validation and certification of compliance which can be performed internally or externally, which is then assessed on a yearly basis.
In order to comply with these requirements, the latest PCI DSS 2.0 version presents 12 compliance requirements divided into six groups known as “control objectives” as follows:
- Building a secure network
- Cardholder data protection
- Maintain a vulnerability management program
- The implementation of thorough access control measures
- Frequent testing the networks
- Maintaining an information security policy.
To sum up, when dealing with cardholder information it is important to be aware of the PCI compliance standards and requirements an organization should comply with, as well as be informed related to the costs incurred by PCI non-compliance situations, the available options and the best solutions.