merchant services providers are ill-famed for tacking on all kinds of extra fees for their services and not disclosing them during the sales process. Merchants are much left to find them buried somewhere in the pages and pages of finely photographic print that make up their contracts .
One tip that raises a draw of questions from merchants is the PCI compliance fee. What is the fee for, and what does being PCI compliant mean ? What services does the provider volunteer in exchange for it ? Most importantly, is there any way to get out of paying for it ?
This article will discuss PCI submission, why it ’ sulfur important, and how your merchant services provider treats it. We ’ ll expect at the numerous ways in which providers charge ( or don ’ metric ton charge ) for PCI complaisance services and what kind of services you ’ ll receive. We ’ ll besides discuss the fear PCI non-compliance tip and how you can avoid ever having to pay it .
Check out our merchant Account Comparison Chart to get the fully photograph on fees — including PCI fees — from some of the best requital processors in the diligence .
What Is PCI Compliance ?
Let ’ s start with the basics. PCI complaisance refers to compliance with data security standards set out in the Payment Card Industry Data Security Standard (PCI DSS). These standards are designed to ensure that your customers ’ citation card data is handled safely and securely to minimize any chance of a data breach. complaisance with PCI DSS standards is required by the credit rating batting order associations ( Visa, Mastercard, etc. ), but enforcement is by and large left up to the individual processors .
Requirements for being PCI compliant can be building complex and change widely from one business to the future. For exercise, a retail-only business that doesn ’ thymine use a payment gateway might have relatively few requirements to meet. At the like meter, an eCommerce occupation that processes all sales over a payment gateway and uses a customer information database to store customer payment method acting information would have far more extensive requirements. unfortunately, merchant services providers don ’ thyroxine constantly take these distinctions into account when setting PCI complaisance fees, preferring to charge all merchants the lapp fee regardless of their actual submission needs .
The credit card associations have divided businesses into four levels of risk based on how many transactions they process annually. To figure out which risk level your business falls under, check out our article, The Complete Guide To PCI Compliance Levels & How To Determine Your Business ’ Obligations For PCI Compliance. Most belittled businesses will fall under Level 4, defined as “ Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions per annum. ”
While your provider handles many of the ask actions, you will besides have to perform some steps to perform yourself. The most crucial action you ’ ll need to take is to complete the Self-Assessment Questionnaire (SAQ). This questionnaire needs to be updated per annum. failure to keep the SAQ updated is the most common reason merchants are charged a PCI non-compliance tip by their provider .
The PCI Security Standards Council ( PCI SSC ) publishes several different forms of the SAQ for different types of businesses. These forms are described on the PCI SSC web site, which besides includes links to instructions and documents you ’ ll want to refer to when filling out the SAQ. For more details on PCI complaisance requirements, please see our article, The Complete Guide to PCI DSS : Why You Need To Understand PCI Compliance Standards & What Role Payment Processors Play .
What Are PCI Fees ?
The term “ PCI fees ” refers to any character of fee charged by your central processing unit in conjunction with meet PCI submission standards. There are two kinds of PCI fees charged by credit card processors : PCI compliance fees and PCI non-compliance fees. Since you might see either one ( or both ! ) of these fees on your processing statement, it ’ s authoritative to understand what they ’ ra for and why you have to pay them .
PCI Compliance Fees
In theory, PCI conformity fees compensate your provider for any services they provide to ensure that your merchant account complies with all applicable PCI standards. We say “ in theory ” because you don ’ triiodothyronine constantly receive something of value in exchange for paying these fees .
eCommerce businesses will inescapably have more PCI complaisance requirements to meet than most retail businesses, but both types of businesses will normally have to pay the same monthly or annual PCI conformity fee if their supplier charges one .
PCI conformity fees are besides a relatively new feature in the payments diligence. The foremost located of PCI standards, PCI DSS 1.0, was published back in December 2004. At that time, eCommerce was still in its infancy, but rampant imposter was already on the rise. It promptly became clear that businesses were going to have to take extra steps to protect their customers ’ sensitive credit tease data. With the extra requirements came extra costs, and merchant services providers soon started passing those costs on to their clients in the shape of PCI complaisance fees .
One common misconception about PCI conformity fees is that requital of the fee means that your provider will ensure that your account is amply compliant, and you don ’ t have to do anything. unfortunately, this plainly international relations and security network ’ metric ton true. While full-bodied PCI submission services can take care of the more technical aspects of conformity, at a minimum, you ’ ll still have to complete the Self-Assessment Questionnaire ( SAQ ) and keep it update .
Most PCI complaisance services offered by providers fall into one of the comply three categories :
- Security Scans: This is the most basic compliance service your processor can provide you with, and it’s essential that it be included if you’re paying a PCI compliance fee. Security scanning services thoroughly check all aspects of your processing system, including your website, server, payment gateway, and any connected terminals or POS systems for viruses, Trojans, malware, and other potential security threats. Scans are required to be conducted quarterly, although some providers will scan your system every month.
- Data Breach Insurance: This is insurance that will reimburse you for any losses or claims resulting from a breach where your customer data is hacked or stolen. Data breach insurance is subject to policy limits and a number of exclusions, so there’s no guarantee that the insurer will accept your claim if you suffer a breach. You’ll want to review your insurance policy to determine what specific incidents it will or will not cover. While the possibility of a denied claim can make this type of insurance seem like a waste of money, it’s certainly better than not having any insurance against a breach at all. Data breach insurance is particularly important for eCommerce merchants. One of our highest-rated providers, CDGcommerce, offers $100,000 in data breach insurance as part of its optional cdg360 security package. At $15 per month, it’s a worthwhile investment.
- Customer Education & Assistance: This is perhaps the most nebulous, but also the most important, compliance service your provider can offer. What you want — and what some providers offer — is an in-depth knowledgebase to educate you about PCI compliance requirements and proactive assistance where your provider will contact you immediately if they detect anything amiss regarding your account’s security. Unfortunately, some providers offer only minimal services in this area while still charging you a full PCI compliance fee. Beware of providers that offer just a minimal FAQ on PCI compliance or are quick to start charging you a PCI non-compliance fee without notifying you that your account is out of compliance.
PCI Non-Compliance Fees
A PCI non-compliance fee is nothing less than a fine or penalty for failing to keep your account compliant with PCI DSS standards. It ’ s only imposed if you, the merchant, have neglected to do something on your end to keep your account compliant. failure to complete or maintain the Self-Assessment Questionnaire ( SAQ ) is the most common reason for a PCI non-compliance tip to be imposed .
The biggest trouble with the PCI non-compliance fee is that it doesn ’ t do anything to rectify the site or bring your account into conformity. Your provider doesn ’ t offer any extra services for this fee, and as such, we consider it a “ trash ” tip. unfortunately, your provider may impose a PCI non-compliance tip without notification to you, and it will continue to charge this fee every month until you bring your account back into complaisance. PCI non-compliance fees vary from one provider to the adjacent, but the industry average is about $ 20- $ 30 per calendar month .
a much as we don ’ triiodothyronine like this tip, the fact is that about all merchant services providers will charge you a PCI non-compliance fee if you fail to keep your report compliant. Some of the better providers will notify you in progress that your report is no longer PCI compliant and give you a gamble to fix the problem before the non-compliance fee kicks in. however, many other providers won ’ metric ton notify you at all and start charging the extra fee until you notice it and bring your history back into submission on your own. This is however another reason why you need to review your merchant account statement cautiously every calendar month .
Can you be charged for both PCI submission and non-compliance at the lapp time ? Of course, you can ! In fact, if your supplier charges you for PCI complaisance and your report becomes non-compliant, you ’ re guaranteed to end up paying both fees simultaneously until you fix the problem. The bottomland line on PCI non-compliance fees is that they ’ ra well avoided just by keeping your score compliant. arsenic long as you review your requirements and make sure you ’ rhenium meeting them, you should never have to pay this fee .
How a lot Does PCI Compliance Cost ?
Providers are free to charge for PCI complaisance any means they want to, then naturally, there ’ s a lot of variation from one company to the following. Over the years, an “ diligence standard ” of sorts has developed that lumps charges for PCI submission into a individual annual fee of around $ 99 per year. ( bill that this fee has crept up in late years in reaction to ostentation and extra complaisance requirements and is now closer to about $ 120 per year. )
The problem with paying a individual annual fee is that most providers will not give you a prorated refund on this fee if you close your history within the annual period after you ’ ve paid it. In reply to merchants ’ numerous complaints about this rehearse, many providers now charge monthly for PCI complaisance — typically round $ 7.99 to $ 9.99 per month ( or more ) .
Because merchants have broadly been unhappy about having to pay even another tip to maintain their accounts, many providers don ’ t charge a discrete PCI fee at all. Does that mean that you ’ re getting PCI complaisance services for free ? Don ’ deoxythymidine monophosphate be cockamamie ! In most cases, the PCI conformity cost for a humble commercial enterprise is covered through either a higher monthly account fee, higher serve rates, or a combination of the two .
PCI non-compliance fees are handled differently because they are only charged if your report becomes balker. Almost all providers will charge you a monthly fee of around $ 20- $ 30 per month until you get your account back in submission. In theory, a provider would be well within its rights to shut down your report if you neglected to bring it back into conformity within a reasonable time. however, this rarely happens in actual commit — credibly because the provider is still making money from your account fees and processing bodily process .
The sad truth is that far excessively many minor business owners don ’ t take the time to review their process statements every calendar month. They often don ’ t even realize that they ’ ra getting hit with a PCI non-compliance fee until many months after their bill has become non-compliant .
regardless of how your provider charges for PCI complaisance, any applicable PCI fees should be disclosed in your contract documents. Be sure to review this information before you sign up for an account to avoid unpleasant surprises later .
here ’ s a dislocation of how several of the most popular merchant services providers in the industry charge for PCI conformity :
|Processor||PCI Compliance Fee||PCI Non-Compliance Fee|
|Dharma Merchant Services||None||None|
|Electronic Merchant Systems (EMS)||$75.00/year||$50.00/month|
|Flagship Merchant Services||$99.00/year||$19.95/month|
|Host Merchant Services||None||None|
|Wells Fargo Merchant Services||Variable||Variable|
Are PCI Compliance Fees A Scam ?
Misconceptions about PCI submission requirements and a general distrust of merchant bill providers have led many occupation owners to feel that PCI complaisance fees are just a scam to squeeze more money out of them. While this might be the case with some providers, it ’ s normally not. Whether or not you ’ ra being ripped off will depend on which of these possible approaches to PCI conformity your provider uses :
- No Fee Charged, No Services Provided: Under this approach, your provider basically leaves PCI compliance up to you. You won’t be charged a PCI compliance fee, but you won’t receive any services to help you maintain compliance, either. It’s very rare to see this approach still in use, given the prevalence of eCommerce today and the provider’s financial risk if a data breach occurs.
- No Fee Charged, Services Are Provided: This approach is the most popular with merchants. You receive at least some services that help you maintain PCI compliance, but you don’t pay a separate fee for them. Many of the providers in the chart above utilize this approach. Of course, nothing is ever really free in the processing industry. In most cases, providers using this approach are actually bundling your PCI compliance costs with your monthly account fee or charging you slightly higher processing rates than you would otherwise receive.
- Fee Charged, Services Are Provided: This is the most common approach used by traditional merchant account providers. You’ll have to pay a fee, but you’ll receive PCI compliance services in exchange for that fee to help keep you compliant. As long as the cost is reasonable and the services provided help keep your account secure, this is a fair and sensible approach.
- Fee Charged, No Services Provided: Unfortunately, there are some unscrupulous providers out there that will gladly charge you a PCI compliance fee but don’t offer any services in exchange. Not only are you on your own when it comes to maintaining compliance, but you’re also being ripped off by having to pay a “junk” fee that doesn’t provide anything other than increased profits to your provider. We recommend that you steer clear of providers that utilize this approach.
How will you know which of these approaches applies to your explanation ? One way is to ask your sales agent. however, be mindful that most agents won ’ t voluntarily disclose the being or come of PCI fees unless you ask them about the subject .
PCI fees, if any, are spelled out in your condense — normally in the Merchant Application section. Unless your provider specifically states on its web site that it doesn ’ t charge PCI conformity fees, it ’ s a good bet that they will be character of your agreement. As for what services are provided in switch over for paying PCI fees, you ’ ll probably have to ask customer service for details. Most sales agents simply won ’ metric ton be identical intimate about this topic .
How To Avoid PCI Compliance Fees
In recent years, more and more providers have stopped charging discrete PCI fees in response to merchant complaints. If you ’ ra absolutely set on not having to pay for PCI complaisance, your best stake is to choose a provider that doesn ’ t load those fees at all. This is getting easier to do, although we ’ vitamin d caution you that most of the big-name direct processors and their numerous resellers continue to charge PCI fees in most cases .
You should besides be aware that payment service providers ( such as Square ) aggregate all of their users into a single merchant bill. In this font, PCI conformity is handled directly by the supplier, and you won ’ thymine be charged any PCI fees .
Merchant Services With No PCI Compliance Fee
Finding a supplier that won ’ thyroxine commit you any PCI fees is getting much easier, thanks to pressure from merchants to simplify or eliminate the total of extra fees they need to pay to maintain their accounts .
payment services providers ( such as Square and PayPal ) take wish of PCI complaisance for you since you won ’ metric ton have a alone merchant account for your clientele. These companies use a flat-rate price structure to cover the cost of PCI complaisance, indeed at least a belittled depart of your transaction process fees goes to covering these costs. however, you won ’ deoxythymidine monophosphate have to worry about getting sting with a PCI non-compliance tip .
On the other hand, traditional merchant explanation providers are more likely to impose PCI fees individually preferably than including that cost in the early fees and processing rates that you ’ re already paying. Providers using membership price ( such as Fattmerchant and Payment Depot ) don ’ thyroxine charge individually for PCI conformity. however, you can bet that at least some separate of your monthly subscription fee goes toward covering those costs.
Be certain to check out the table above for more providers that don ’ triiodothyronine agitate for PCI complaisance !
How To Avoid PCI Non-Compliance Fines & Fees
If you don ’ thymine like the idea of paying an supernumerary $ 30 per calendar month in junk fees just to have your provider remind you that your report is no longer PCI-compliant, there are many ways to prevent this from happening. Besides the obvious step of choosing a supplier that doesn ’ t charge a PCI non-compliance fee, here are a few things you can do to avoid this penalty :
- Train your employees (and yourself) on proper credit card handling procedures
- Follow all practices recommended by the PCI SSC to secure your processing equipment
- For eCommerce merchants, consider using a hosted payment page to keep credit card data off your website entirely
- Ensure that quarterly security scans are being performed and review the results
- File an updated Self-Assessment Questionnaire (SAQ) every year
- Implement any additional security requirements identified in the SAQ and document your efforts
For most modest commercial enterprise owners, these requirements for avoiding PCI complaisance fines are relatively easy to meet and shouldn ’ t require an undue amount of time or effort on your character. Above all, remember that maintaining PCI complaisance international relations and security network ’ thymine about avoiding a punishment fee. ultimately, it ’ randomness about safeguarding your business from a potentially black data breach that can cost you thousands of dollars and put you out of occupation wholly .
PCI Compliance & PCI Fees FAQ
What does PCI stand for ? The terminus “ PCI ” is generally used as a shorthand for PCI DSS, an acronym for Payment Card Industry Data Security Standard, an industry standard for securing customer payment wag information and protecting it from being stolen, exposed, or exploited by cybercriminals .
How much is a PCI submission fee ? Merchant account providers that charge for PCI submission may impose this charge either annually or monthly. In the payments diligence, PCI submission fees broadly average around $ 120 per year or $ 10 per calendar month .
Do I have to pay a PCI complaisance tip ? PCI conformity fees are mandatory if the merchant uses a provider that charges this fee and generally may not be waived under any circumstances. note that merchants are responsible for maintaining PCI complaisance requirements whether they pay a PCI complaisance fee or not .
What does PCI non-compliance mean ? Your merchant account will be considered PCI non-compliant if your supplier detects any problem with your score that falls short-circuit of full submission with PCI DSS standards. Lapsed Self-Assessment Questionnaires and failure to complete required quarterly security scans are the most common PCI non-compliance issues .
What is a PCI non-compliance fee ? A PCI non-compliance fee is a penalty charged by your merchant report provider for every calendar month that your account is determined to be out of submission. This tip is meant to encourage you to correct any deficiencies and does not do anything to help you bring your account back into submission .
How do I become PCI compliant for release ? If your merchant account supplier does not charge for PCI conformity, you can become PCI compliant at no extra price by completing and filing your Self-Assessment Questionnaires each class and assert records of any compulsory security scans .
Does Square charge a PCI submission fee ? Square aggregates all its users into a single, combined merchant report. The company takes manage of PCI conformity requirements for this account and does not charge its users a PCI conformity tip .
key Takeaway : PCI Compliance Is Mandatory ; PCI Fees Aren ’ t
Needing to maintain PCI conformity requirements is an inevitable part of having a merchant account. You have to meet those requirements regardless of how a lot ( or how fiddling ) aid you receive from your provider. Because PCI submission policies and fees vary so much from one supplier to another, you should cautiously research your supplier ’ randomness approach to PCI conformity before you sign up for an account.
Read more: How to Start a Profitable Airbnb Business
As we ’ ve noted, paying a reasonable PCI conformity tip is entirely acceptable adenine long as your supplier offers some actual services to keep you compliant. The site you want to avoid is one where you ’ re being charged a PCI complaisance fee but aren ’ triiodothyronine receiving any conformity services .
It ’ s besides critically important to review your contract thoroughly before you sign up with a new provider. While this is dependable advice in general, it ’ randomness particularly crucial in determining whether you ’ ll be liable for PCI complaisance or non-compliance fees and how much they ’ ll cost. As we ’ ve noted, sales representatives generally don ’ thymine disclose these fees unless you specifically ask about them first .
For more data on maintaining PCI complaisance standards and avoiding getting hit with a PCI non-compliance fee, check out our article, The Quick Guide To PCI Compliance For Small Businesses : What You Need To Know & How To Become Compliant .