PCI Compliance Fees: Are you getting what you are paying for?
I own a small business, and my credit card processor charges me a "PCI Compliance Fee". What is this, and what do I get for it?
Almost every business takes payments via credit cards, and as transaction volumes and value increase, so do the costs and the risks. I asked Rick Dakin, CEO, co-founder and chief security strategist at Coalfire, an IT Governance, Risk and Compliance (IT GRC) firm with offices in eight U.S. cities, for help with your question. Here's his response:
"PCI Compliance" is important to any business that accepts credit cards. Credit card theft and fraud is multi-billion dollar global problem, and to defend against it, the credit card brands created a security standard, called the PCI Data Security Standard that sets forth a minimally acceptable set of controls (i.e., safeguards, procedures, and so forth) that merchants are required to adopt. If you take credit cards, you signed an agreement with your credit card processor in which you agreed to comply with the PCI DSS.
Processors in turn have contracts that require them to enforce compliance with the PCI DSS, and they report back to the card brands on the compliance status of their customers. They require their big customers, as part of their PCI assessment process, to do a penetration test and submit a Report on Compliance (ROC), developed and signed by a Qualified Security Assessor firm.
Smaller merchants also need to be fully compliant with the DSS, but they don't necessarily need to hire an auditor; instead, they are allowed to complete a Self-Assessment Questionnaire. The best way to complete a SAQ is via an online toolkit like Navis that guides you through the process and helps you collect and organize evidence of compliance.
Coming back to the original question, those tools are typically what you "get" for those compliance fees that the card processors charge. But here's the rub: most merchants never use them! They mistakenly think that the compliance fees they pay somehow make them compliant, and by extension, safe from credit card fraud.
I tell every merchant I can to do one of two things: Either pay the fee and take advantage of the services offered, or stop paying the fee and bring in an advisor you trust to tell you the truth about your compliance status.
If you don't know your PCI Compliance status, you are taking a huge risk. Credit card theft occurs every day, and the investigators are good at tracing those hacks back to the source. If your business is determined to be the source, you will be asked for evidence of your PCI compliance.
A PCI compliance report - either a ROC or a SAQ - is almost like a 'get out of jail' card - it is proof that you weren't negligent, and you can use it to negotiate your way out of potentially catastrophic fines and penalties. And better yet, a well-done report will almost always save time and money on IT security, starting with those unused compliance fees!
If you are looking for more information on PCI and how the PCI compliance process works, I recommend our Top 10 Compliance Issues for the Payment Card Industry whitepaper.
More Useful Auctions and Online Shopping Articles:
✔ How can I sell a used gadget on Amazon.com?
I have a bunch of electronic gadgets in my office that are just sitting around and I notice that they're worth a decent...✔ How do I return something to Amazon.com?
Hey Dave, I bought a new backpack through Amazon.com and when it arrived, I realized I didn't like it and really want to...✔ What annual subscriptions do I have set up in PayPal?
As it's the last day of the year, I'm thinking about recurring billing that's going to kick in starting again in 2013 through...✔ What's a used computer really worth?
Hi Dave. I bumped into this note on Facebook, a post from a friend: "Thinking about selling my 17" MacBook Pro. It's 3...✔ How long have I been a member of eBay?
I was arguing with a friend the other day and he said that he'd been on eBay since it first came online. I...
Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
I do have a comment, now that you mention it!
Check This Out Too...
Look for Answers
All Our Categories
Apple iPad Help
Articles and Reviews
Auctions and Online Shopping
Blogs and Blogging
Building Web Site Traffic
Business and Management
Computer and Internet Basics
d) None of the Above
Google Gmail Help
Google Plus Help
Industry News and Trade Shows
iPhone and Cell Phone Help
iPod, Sony PSP and MP3 Player Help
Kindle Fire Help
Mac OS X Help
Pay Per Click (PPC) Advertising
Search Engine Optimization (SEO)
Shell Script Programming
Tech Support Video Help
The Writing Business
Twitter, LinkedIn and Social Network Help
Unix and Linux Help
Video Game Tips and Help
Windows PC Help
Find Me on Google+
ADT on G+