Practical Ecommerce

Questionable PCI Compliance Fees?

Merchant account providers will often automatically assess payment card industry (PCI) compliance fees to all of their ecommerce-merchant customers. However, many merchants don’t qualify for full PCI compliance, and we wondered if some of them are being charged unfairly. We recently asked a PCI compliance expert, Tim Erlin, his views on the matter. Erlin is principal product manager with nCircle, a security consulting and compliance firm and an authorized PCI scanning vendor.

PeC: Does the PCI Security Standards Council dictate uniform fees that merchant account providers can charge online merchants?

Tim ErlinErlin: No, the fees are determined by the merchant account providers themselves.

PeC: If a small business merchant does not qualify for full PCI compliance, due to low dollar volume, but is still being charged, what should they do?

Erlin: Regardless of their size, every merchant should understand upfront what the charges will be before they receive a statement. In an ideal world, you might find a merchant account provider who is dedicated towards smaller merchants who aren’t subject to PCI, but I don’t know of any merchant account providers who specialize in that. The best advice is really to shop around and look at other merchant account providers.

PeC: Have you personally seen account fees that should concern an ecommerce merchant?

Erlin: I haven’t seen specific fees that are concerning me, but I expect that there will be some variability in those charges as the providers figure out what they can charge and what merchants are willing to pay.

PeC: If a merchant is using a hosted shopping cart provider that is PCI compliant, should the merchant still be assessed compliance fees from his merchant account provider?

Erlin: All merchant account providers are required to be PCI compliant, and they have every right to pass along those fees to their customers. For some merchants, having a hosted shopping cart that avoids the merchant account provider and uses the payment gateway service might be a better alternative, but you can’t necessarily avoid the PCI compliance charges from the merchant account provider just because you have a hosted shopping cart.

PeC: Your firm, nCircle, is an approved PCI scanning vendor. What exactly does that mean?

Erlin: That means that we’re approved by the PCI Security Standards Council to provide external vulnerability scans, on a quarterly basis, as per the PCI requirements.

PeC: Is it still valid for a merchant account provider to charge the merchant for PCI fees if they’re using the services of an approved scanning vendor?

Erlin: Unfortunately for the merchant, it’s probably expected. The best advice I can give to merchants in terms of reducing your exposure to PCI compliance is to avoid as much as possible ever having possession or storing or transferring/transacting the credit card data itself. Pass the data directly to the payment gateway or a merchant account provider and do not store it anywhere in your systems. Then you reduce the need to worry about PCI compliance.

PeC: Do you have any more advice for our readers about PCI compliance?

Erlin: PCI compliance is confusing for almost everybody. If you’re having a conversation with your merchant account provider, your bank, your payment gateway, or your hosted shopping card provider and you don’t understand something about PCI, don’t be afraid to ask.

Practical Ecommerce
Practical Ecommerce
Bio  |  RSS Feed


Get the Practical Ecommerce RSS feed

Comments ( 2 )

  1. Bryan Johnson March 3, 2009 Reply

    Good article selection. We are a provider of credit card processing and PCI Compliance services. We’ve had a lot of merchants ask us why their provider are charging them new a ‘PCI Compliance’ fee when they’re not getting any new service.

    Some merchant account providers have teamed up with scanning companies like nCircle to offer their merchants this required service. They’ve also simultaneously started charging all customers a fixed monthly PCI Compliance fee to cover the costs and get a little something for themselves.

    It seems to me that providers should a) not charge the fee if they’re not providing any new service and b) they allow merchants to opt in/out of any new service offering instead of charging everyone regardless.

    http://www.braintreepaymentsolutions.com/blog/pci-dss-compliance-charge-on-my-merchant-statement/

  2. dfwcard November 12, 2010 Reply

    PCI compliance fees are for the top line revenue of processing companies. There are no benefits to the merchant to be charged a fee. Processors with older infrastructures that need upgrades to keep up with security enhancements do so by charging PCI fees.

    We do not. Nor do we charge an annual fee or termination fee. http://merchantservices.cc/nopci

Email Newsletter Signup

Sign up to receive EcommerceNotes,
our acclaimed email newsletter.

And receive a free copy of our ebook
50 Great Ecommerce Ideas