Questionable PCI Compliance Fees?

Merchant account providers will often automatically assess payment card industry (PCI) compliance fees to all of their ecommerce-merchant customers. However, many merchants don’t qualify for full PCI compliance, and we wondered if some of them are being charged unfairly. We recently asked a PCI compliance expert, Tim Erlin, his views on the matter. Erlin is principal product manager with nCircle, a security consulting and compliance firm and an authorized PCI scanning vendor.

PeC: Does the PCI Security Standards Council dictate uniform fees that merchant account providers can charge online merchants?

Erlin: No, the fees are determined by the merchant account providers themselves.

PeC: If a small business merchant does not qualify for full PCI compliance, due to low dollar volume, but is still being charged, what should they do?

Erlin: Regardless of their size, every merchant should understand upfront what the charges will be before they receive a statement. In an ideal world, you might find a merchant account provider who is dedicated towards smaller merchants who aren’t subject to PCI, but I don’t know of any merchant account providers who specialize in that. The best advice is really to shop around and look at other merchant account providers.

PeC: Have you personally seen account fees that should concern an ecommerce merchant?

Erlin: I haven’t seen specific fees that are concerning me, but I expect that there will be some variability in those charges as the providers figure out what they can charge and what merchants are willing to pay.

PeC: If a merchant is using a hosted shopping cart provider that is PCI compliant, should the merchant still be assessed compliance fees from his merchant account provider?

Erlin: All merchant account providers are required to be PCI compliant, and they have every right to pass along those fees to their customers. For some merchants, having a hosted shopping cart that avoids the merchant account provider and uses the payment gateway service might be a better alternative, but you can’t necessarily avoid the PCI compliance charges from the merchant account provider just because you have a hosted shopping cart.

PeC: Your firm, nCircle, is an approved PCI scanning vendor. What exactly does that mean?

Erlin: That means that we’re approved by the PCI Security Standards Council to provide external vulnerability scans, on a quarterly basis, as per the PCI requirements.

PeC: Is it still valid for a merchant account provider to charge the merchant for PCI fees if they’re using the services of an approved scanning vendor?

Erlin: Unfortunately for the merchant, it’s probably expected. The best advice I can give to merchants in terms of reducing your exposure to PCI compliance is to avoid as much as possible ever having possession or storing or transferring/transacting the credit card data itself. Pass the data directly to the payment gateway or a merchant account provider and do not store it anywhere in your systems. Then you reduce the need to worry about PCI compliance.

PeC: Do you have any more advice for our readers about PCI compliance?

Erlin: PCI compliance is confusing for almost everybody. If you’re having a conversation with your merchant account provider, your bank, your payment gateway, or your hosted shopping card provider and you don’t understand something about PCI, don’t be afraid to ask.

PEC Staff
PEC Staff
Bio   •   RSS Feed