Merchant account providers will often automatically assess payment card industry (PCI) compliance fees to all of their ecommerce-merchant customers. However, many merchants don't qualify for full PCI compliance, and we wondered if some of them are being charged unfairly. We recently asked a PCI compliance expert, Tim Erlin, his views on the matter. Erlin is principal product manager with nCircle, a security consulting and compliance firm and an authorized PCI scanning vendor.
PeC: Does the PCI Security Standards Council dictate uniform fees that merchant account providers can charge online merchants?
Erlin: No, the fees are determined by the merchant account providers themselves.
PeC: If a small business merchant does not qualify for full PCI compliance, due to low dollar volume, but is still being charged, what should they do?
Erlin: Regardless of their size, every merchant should understand upfront what the charges will be before they receive a statement. In an ideal world, you might find a merchant account provider who is dedicated towards smaller merchants who aren't subject to PCI, but I don't know of any merchant account providers who specialize in that. The best advice is really to shop around and look at other merchant account providers.
PeC: Have you personally seen account fees that should concern an ecommerce merchant?
Erlin: I haven't seen specific fees that are concerning me, but I expect that there will be some variability in those charges as the providers figure out what they can charge and what merchants are willing to pay.
PeC: If a merchant is using a hosted shopping cart provider that is PCI compliant, should the merchant still be assessed compliance fees from his merchant account provider?
Erlin: All merchant account providers are required to be PCI compliant, and they have every right to pass along those fees to their customers. For some merchants, having a hosted shopping cart that avoids the merchant account provider and uses the payment gateway service might be a better alternative, but you can't necessarily avoid the PCI compliance charges from the merchant account provider just because you have a hosted shopping cart.
PeC: Your firm, nCircle, is an approved PCI scanning vendor. What exactly does that mean?
Erlin: That means that we're approved by the PCI Security Standards Council to provide external vulnerability scans, on a quarterly basis, as per the PCI requirements.
PeC: Is it still valid for a merchant account provider to charge the merchant for PCI fees if they're using the services of an approved scanning vendor?
Erlin: Unfortunately for the merchant, it's probably expected. The best advice I can give to merchants in terms of reducing your exposure to PCI compliance is to avoid as much as possible ever having possession or storing or transferring/transacting the credit card data itself. Pass the data directly to the payment gateway or a merchant account provider and do not store it anywhere in your systems. Then you reduce the need to worry about PCI compliance.
PeC: Do you have any more advice for our readers about PCI compliance?
Erlin: PCI compliance is confusing for almost everybody. If you’re having a conversation with your merchant account provider, your bank, your payment gateway, or your hosted shopping card provider and you don't understand something about PCI, don't be afraid to ask.