Processors Imposing "PCI Insurance Fees" on Smaller Merchants

From "practical ecommerce" -- Since June of 2008, all merchants accepting credit cards have been required to become PCI-DSS compliant to help prevent and control loses from businesses losing card holder data. For smaller merchants, compliance with the Payment Card Industry Data Security Standard requires merchants to complete a self-assessment security questionnaire and complete quarterly vulnerability scanning of their servers and network connections.

Until recently, Level 2, 3, and 4 merchants (those with fewer than six million Visa direct commerce transactions per year) have largely been ignored by the Security Standards Council. For Level 4 merchants, who do not generally need their quarterly scanning to be conducted by an official "Qualified Security Assessor," or QSA, there were no repurcussions for non-compliance. PCI's focus was on ensuring that large businesses were secure because more damage could result from a single data breach as observed with the TJX and processing services breaches.

But that has been changing. Under pressure from card issuers, the government, and consumer advocacy groups, Level 4 merchants who are not certified as PCI-compliant are now being charged a monthly "PCI fee" which can range from $20 - $50 per month. This trend started in July of 2008, and it looks to become the standard in the processing industry. While your processor may not have a PCI non-compliance fee right now, there's a good chance that they will in the near future.

Why are processors charging this?

Card issuers don't have the means to police the millions of businesses in the US and around the world, so they are placing liability for a data breach on credit card processors. Essentially, this means that the processor could be liable for all costs incurred if a non-compliant business suffers data loss. Most processors don't have near enough cash reserves for even a few small data breaches. Even a small breach of a few hundred card numbers can result in millions of dollars in damages.

The only option is an insurance fund to cover costs from data breaches that a processor is liable for. These funds are made up from the newly appearing fees that processors are passing to their non-compliant customers. Unless processors are removed from the liability circle, these fees are likely to become a standard.

What can you do to avoid these fees?

The only way to avoid these fees is to become officially PCI-compliant. PCI scanning from an officially designated Qualified Security Assessor (QSA) ranges from about $50 per year to hundreds of dollars annually, but in almost every case can be cheaper than the additional fees that processors have been forced to pass down. The PCI Standards Council maintains a list of approved PCI scanning vendors that are allowed to perform the required quarterly scanning for compliance. Click HERE to view the relevant page on their site.

PCI compliance is more than simply filling out the questionnaire and having your networks scanned for vulnerabilities: it requires you to actually maintain secure networks, computers, servers, software, and equipment. But most small businesses can't withstand the cost of a data breach, and security is a business owner's responsibility, no matter their size, whether they want it or not.