I own a small business, and my credit card processor charges me a “PCI Compliance Fee”. What is this, and what do I get for it?
Almost every business takes payments via credit cards, and as transaction volumes and value increase, so do the costs and the risks. I asked Rick Dakin, CEO, co-founder and chief security strategist at Coalfire, an IT Governance, Risk and Compliance (IT GRC) firm with offices in eight U.S. cities, for help with your question. Here’s his response:
“PCI Compliance” is important to any business that accepts credit cards. Credit card theft and fraud is multi-billion dollar global problem, and to defend against it, the credit card brands created a security standard, called the PCI Data Security Standard that sets forth a minimally acceptable set of controls (i.e., safeguards, procedures, and so forth) that merchants are required to adopt. If you take credit cards, you signed an agreement with your credit card processor in which you agreed to comply with the PCI DSS.
Processors in turn have contracts that require them to enforce compliance with the PCI DSS, and they report back to the card brands on the compliance status of their customers. They require their big customers, as part of their PCI assessment process, to do a penetration test and submit a Report on Compliance (ROC), developed and signed by a Qualified Security Assessor firm.
Smaller merchants also need to be fully compliant with the DSS, but they don’t necessarily need to hire an auditor; instead, they are allowed to complete a Self-Assessment Questionnaire. The best way to complete a SAQ is via an online toolkit like Navis that guides you through the process and helps you collect and organize evidence of compliance.
Coming back to the original question, those tools are typically what you “get” for those compliance fees that the card processors charge. But here’s the rub: most merchants never use them! They mistakenly think that the compliance fees they pay somehow make them compliant, and by extension, safe from credit card fraud.
I tell every merchant I can to do one of two things: Either pay the fee and take advantage of the services offered, or stop paying the fee and bring in an advisor you trust to tell you the truth about your compliance status.
If you don’t know your PCI Compliance status, you are taking a huge risk. Credit card theft occurs every day, and the investigators are good at tracing those hacks back to the source. If your business is determined to be the source, you will be asked for evidence of your PCI compliance.
A PCI compliance report – either a ROC or a SAQ – is almost like a ‘get out of jail’ card – it is proof that you weren’t negligent, and you can use it to negotiate your way out of potentially catastrophic fines and penalties. And better yet, a well-done report will almost always save time and money on IT security, starting with those unused compliance fees!
If you are looking for more information on PCI and how the PCI compliance process works, I recommend our Top 10 Compliance Issues for the Payment Card Industry whitepaper.