What is PCI Compliance? And why are merchants charged so much for being “non-compliant”?
Card brands mandate that merchants and payment processors follow a specific set of security standards when processing card transactions. They created the Payment Card Industry Security Standards Council and tasked them with two objectives:
- Create and administer a complete set of Data Security Standards for anyone involved in card transactions to follow.
- Make sure that every entity involved in card payment processing is compliant with current Data Security Standards.
Consumers put a piece of their most sensitive data in the hands of merchants every day - their credit card payment information. According to the Card Brands and the Payment Card Industry, it is the obligation of the merchant and their payment processors to protect that information. If you're not protecting that information congruent with their set of security standards, you will pay significant fees for “non-compliance”.
Understanding PCI Security Standards Council and PCI Data Security Standards (PCI DSS).
The Payment Card Industry (PCI) Security Standards Council sets the standards for security when processing payment card transactions. We collectively refer to these standards as the PCI’s Data Security Standards, or PCI-DSS. The PCI SSC requires every business accepting credit card payments to comply with these standards. This ensures they implement best practices for secure transactions and protect their customers’ card data and private information.
For merchants, being PCI Compliant refers to maintaining the security standards set forth by the Payment Card Industry. PCI compliance refers to the steps that merchants must take to maintain the security standards set for accepting card payments. Every merchant who wants to accept any kind of card payment must show they have completed PCI Compliance. And they are required to prove their compliance annually.
How do merchants prove PCI Compliance? In addition to implementing security measures, PCI requires merchants to fill out an annual Self Assessment Questionnaire (SAQ).
eCommerce merchants must go one step further to prove compliance with DSS. PCI SSC requires all eCommerce merchants to complete a quarterly Vulnerability Scan. The goal of the Vulnerability Scan is to identify security weaknesses through performing an in-depth review of the merchant’s security environment.
The Self Assessment Questionnaire is generally where most merchants end up falling out of compliance. Which, in turn, results in being charged a fine or PCI non-compliance fee.
How much do PCI Non-Compliance Fees cost merchants?
The main objective of PCI Compliance is to make it difficult for hackers to gain access to people’s sensitive data by implementing multiple layers of security. Fraud already costs merchants too significant a portion of their profits. And with credit card and eCommerce fraud on the rise, the industry is cracking down on merchants who aren't working to protect sensitive information.
Commonly, fees for remaining non-compliant with PCI Standards cost merchants from $30-$100 per month. However, many processors are raising their non-compliance fees in an effort to motivate merchants to do the work. But those fees are on the rise. Now, some merchants will find their non-compliance fees raised to anywhere from $100-$450 per month. That’s right, per month. Merchants will be charged these fees every single month that they are non-compliant. These fees can really add up and unnecessarily cost merchants their profits.
PCI non-compliance fees aren't just an expensive reminder or a convenient way for processors to make extra money. (Despite the assumption of many merchants.)This is far from the case. Never mind that security measures are paramount to the customer’s safety as well as the business. Fraud is extremely costly for everyone involved.
Card Brands maintain that it is the processors' responsibility to ensure merchants are following security standards when accepting card payments. If there’s a data breach at a merchant who’s not maintaining security standards, the card networks actually charge the processor for the lack of compliance on the merchant’s part.
Processors need to ensure their merchants are maintaining a secure network, protecting cardholder information, and implementing strong access control measures. Otherwise they will find themselves incurring fines. PCI Non-Compliance fees are a way for processors to encourage merchants to meet the security standards. They are also a way for them to avoid being fined themselves and pass the costs to the truly non-compliant party.
Especially since it is so easy to just be compliant!
PCI Compliance is an effective way to combat payment card transaction fraud.
Over the past few years, we have seen a significant increase in eCommerce shopping. Subsequently, we have also seen a corresponding rise in the use of card payments over cash, partly due to online shopping. But with growing and evolving digital payment methods, we’re also seeing a move towards a more cashless society in all environments.
82.1% of all in-store retail transactions are paid with card payments. This includes credit cards, of course, as well as debit cards, mobile wallets (cards), and store charge cards. In fact, according to Statista, cash accounts for only a meager 12% share of payments.
As one can imagine, fraudsters go where the money goes. Credit card fraud is the second most common type of identity theft, and incidences continue to rise. 2020 saw a 44.6% increase in credit card fraud over 2019. And, not surprisingly, 65% of all fraud losses are tied to card-not-present fraud.
With the increase of card payment transactions coupled with an increase in innovative fraud attempts, it is more important than ever to protect your customers and your bottom line from fraud.
How to be compliant and avoid PCI Non-Compliance Fees.
Since the annual Self Assessment Questionnaire (SAQ) is where most merchants fall into the trap of non-compliance, this is what we’ll focus on. Many merchants don't understand the importance of the Self Assessment Questionnaire or believe that it is a voluntary assessment.
It’s important for processors and merchant service providers (MSPs) to help merchants realize this questionnaire is necessary and mandatory. But it’s also important for merchants to be proactive and do what’s necessary to ensure the security of their customer’s data.
What is the SAQ - Self-Assessment Questionnaire?
The SAQ is simply a collection of standard identifying questions about the business. It requests basic vendor information about the merchant. The questions will involve information on all business locations that accept card payments, each business type, and the payment types collected.
The questionnaire also contains a series of “yes/no” questions pertaining to PCI Data Security Standards requirements. If merchants can answer Yes to all questions, it means they’re complying with all PCI-DSS requirements. For each security standard not yet met, merchants must explain which actions will be taken to correct it. They must also include the expedited date of resolution.
Merchants are required to fill out the questionnaire annually to complete their PCI Compliance. Merchants can help themselves by setting up a calendar reminder to make sure they are completing it on time each year.
How can we help our merchants become and remain PCI Compliant?
First of all, Bankcard International Group never uses compliance fees as a revenue center. Non-Compliance fees are initiated by the acquiring bank, or certified assessor, that provides our clients with their merchant account. When a merchant is non-compliant, we simply pass the assessed fee on to the merchant.
It is always our priority to help our merchants affordably accept credit card payments while maintaining the highest level of security for their customers and their own business.
Remember, Data Security Standards are set and enforced by the Payment Card Industry. Merchant Service Providers can’t do PCI Compliance for their merchants. It’s illegal.
But we can support you in your efforts to remain PCI Compliant. Some ways we do that is by reminding you when it’s due and answering any questions you might have. We can also help connect you with the proper vendors to assist security and vulnerability scans. And we can help by reminding you how important it is for merchants to do their part to fight credit card fraud.
How Bankcard International Group provides merchants with support and guidance with PCI Compliance.
Most of the security measures, and therefore compliance, are built into retail merchant’s secure payment processing solution. This means our merchants are already meeting much of the data security requirements. This greatly reduces the merchant’s scope of PCI obligations.
In the months leading up to a merchants annual compliance deadline we include notifications on their monthly statement reminding them to complete the questionnaire on time. When it comes time for a merchant to complete their SAQ, we reach out directly by sending a reminder through email.
We understand that every month a merchant is non-compliant, it will cost them significant fees. If we’re notified a merchant has failed to complete their SAQ, we’ll call them directly. This way we can answer questions and offer assistance directly, and urge them to become compliant.
As we pointed out above, E-commerce merchants have one additional step to remain PCI Compliant. In addition to the SAQ, eCommerce merchants need to make sure they complete their vulnerability scan. This scan must be completed quarterly by a company certified as a PCI SSC Approved Scanning Vendor.
Yes, there is an additional cost that comes with completing the scan every quarter. However, that cost brings the security and protection that comes from knowing where your vulnerabilities lie and how to fix them. More importantly, it also comes with added protection for the merchant in the event that there was a breach.
Bankcard International Group can assist eCommerce merchants with the process. There is a complete list of approved vendors on the PCI SSC website. Or we would be happy to recommend one for you.
We can help with all vendor communications to make it as seamless as possible to set up your quarterly scan schedule. Once the vendor has completed a detailed review of the merchant’s card data environment, they provide the merchant with their Report on Compliance (RoC). The merchant can then submit the Report on Compliance to the PCI DSS as proof of PCI Compliance.
Merchants should view PCI Compliance as an ongoing process; it’ll continue to morph as technology advances and fraud adapts. Protecting sensitive data from fraudsters not only protects your customers but also protects your reputation, brand, and sales. And protecting your business from fraud helps protect it from expensive lawsuits, insurance claims, and fines.
If you ever find that you are being charged a Non-Compliance Fee, I urge you to call us right away. Our ETA-Certified Payments Professionals can answer any questions and advise you towards steps to become compliant as quickly and painlessly as possible. Most likely, it is just that you haven’t filled out your questionnaire!!