May 6th, 2008 by Jamie Estep
Forcing Software for PCI Compliance
Filed in: Fraud, Merchant Accounts | 42 comments
Lately I’ve been hearing reports of processors that are starting to charge their customers $19.95 per month for not being PCI compliant. To fix this problem, these processors are requiring their customers to install some PC based scanning software that is supposed to magically make the business PCI compliant, thereby allowing them to avoid the monthly charge.
Let me start out by saying: This is a bunch of crap!
There is nothing that you can just put on your PC that will make your business PCI compliant. This is so far off course that it hardly can be related to PCI. PCI compliance is in reference to networks, computers, hardware and software that play a part in the processing, storage, or transfer of a credit card transaction.
It is now required that every business be PCI compliant, but let me assure you that there is no simple computer program that will do this for any business. Even if only a single computer is used to enter card data, it is unlikely that it is the only piece of the puzzle, and even more unlikely that a single piece of software can guarantee PCI compliance.
Steps to get compliant:
- Determine whether you need to be PCI compliant. (If you accept credit cards, or play any part in the processing of a credit card, you need to be PCI compliant.)
- Determine which Level of compliance is required for your business.
- Level 1: Greater than 6 million credit card transactions per year or any business that has suffered a hack or data breach, or any business deemed Level 1 by card associations.
- Level 2: 1 to 6 Million credit card transactions per year.
- Level 3: 20K to 1 Million credit card transactions per year.
- Level 4: Less than 20K ecommerce, or 1 Million total transactions per year.
- Fill out the self assessment questionaire (SAQ).
- Fix every area that you answered ‘NO’ to on the SAQ.
- Hire an approved scanning vendor (ASV) to perform quarterly scans of any external networks. – All Levels
- Fix and maintain any failed area of the scan.
- Level 1 Only: Complete an annual on-site audit by a Qualified Security Assessor (QSA).
- ** Continue to maintain security of networks and card information! **
Once you complete all of those requirements, and maintain a secure network and business environment, you are PCI compliant. Most of the details of PCI compliance can be found in the SAQ, and on the PCI Security Standards website.
If you’re trying to determine whether PCI compliance is worth it to you, consider this: A security breach will result in a business requiring Level 1 compliance. The cost for level 2, 3, and 4 compliance can be as low as a few hundred dollars per year. The cost of Level 1 compliance can easily reach into the 6 and 7 figures per year.
Some Good PCI Resources:
PCI Answers Blog
PCI Security Standards website
Visa Cardholder Information Security Program
MasterCard SDP Program
[…] Check out the rest of the post here: Forcing Software for PCI Compliance […]
[…] The Merchant Account Blog covered this yesterday. Read their post and the comments they left. We need to get to the bottom of this. […]
[…] some companies feel the need to charge yearly, monthly, daily, peak-season, miscellaneous, PCI compliance, and other fees just for using their […]
This PCI compliance is a massive scam!
I signed up for my Virtual Terminal merchant account back in August of this year. I have processed $140 dollars TOTAL to date.
All of a sudden I get a letter from First Data telling me I have to be PCI compliant or be charged $19.95 a month until I comply and be fined up to $350 a year!!
I called Security Metrics to do the survey and they inform me that the charge is $139.00. Of course, the salesman at First Data never mentioned this PCI Compliance crap or how much it might cost. Neither did the letter. On top of it all, since I have made a transaction on my account I have to pay $350 just to cancel my account.
This is like being extorted by the mob! There is no way to fight back either. It is “pay or else”…
Merry Christmas from PCI and First Data!
I, too, think this is a rip-off. If you’re not compliant it costs you $19.95 per month. How is that going to make cardholder information more secure? It’s not. They just want the money. Have you tried to pass these free evaluation security scans by one of the PCI Security companies? They make it impossible unless you sign up with them. I think these companies are owned by the Credit Card companies. Maybe not directly, but the money gets back to them somehow. How did all these companies sprout up all of the sudden? It’s all a big scam aimed mostly at small businesses.
[…] that processors are passing down to their customers. A few months ago several processors started adding monthly PCI compliance fees to their customer’s bill. We’ll, the PCI fees are getting a lot […]
I agree that PCI DSS compliance fees are a rip off. My credit card company processing company claimed that compliance is a federal mandate. Its mandated by VISA, MC and the like. When I attempted to complete my SAQ questionnaire, no one (my bank, card processor, or the pci compliance software company involved) knew what to do with it. So, who are the pci dss police? How are we as merchants protected? So the bank card companies get richer, the pci compliance providers get richer. Imagine if everyone stopped using credit cards.
The PCI-DSS police are basically Visa/MC/AMEX/Discover. I recently heard a story of Amex charging $50,000 per month for non-compliance.
As far as protection goes, merchants aren’t protected in any way, even if they are PCI compliant. They are still completely responsible for lost cardholder data, whether compliant or not. PCI does not secure anything, and it doesn’t guarantee anything.
Jestep wrote:
PCI does not secure anything, and it doesn’t guarantee anything.
Yes it does – it provides CYA for everybody above us end users in the food chain!
My payment processor, Pipeline Data Processing, is going to charge me $150/yr to “assure my compliance”. According to the SBA, there are 23 MILLION small businesses in the US; assuming 1/2 take credit cards, my question is: where is the $150×11,500,000 = $1.72 BILLION/yr going?
We operate a small business (<$40K/year CC sales) and our customers are other businesses. her is how we deal with the whole issue of “compliance”. We only use a virtual terminal to enter CC data, and we do not store any customer CC data on any of our systems. Even so, we get nicked $40 a year for their bogus compliance fee!
What’s unfortunate is that PCI doesn’t CYA for anything. A business is still fully liable for damages from a data breach. PCI does nothing more than show that a business protected against some of the more common areas that breaches occur in.
Here is my story in the form of the e-mail that I sent to First Data yesterday:
Dear First Data,
On Jan 16th, my other business, Waters of Superior, went through Security Metrics to become certified as CPI compliant. I called that same day to do the same for CPL Imaging and happened to ask if there was a way to become compliant without paying another $24.99. I was told, sure just download the appropriate self-assessment questionaire (from http://www.pcisecuritystandards.org), fill it out, and fax it to First Data.
On Saturday I called First Data customer service to find the fax number for the completed form. (Of course I had to get this done since it was the last day of January and I didn’t want to be hit for another $20 from First Data for a February of non-compliance.) I was told that I had been misinformed, that I am only able to certify through a third party like Security Metrics.
So I called Security Metrics back to hear that First Data is wrong and I should fax it to (801)xxx-xxxx which I did on Saturday, Jan 31.
Today I got a call from Security Metrics telling me that I should not have been told to fax it to the above (because that is their fax #), but rather I should fax to (954) xxx-xxxx which is First Data’s number.
So, I called First Data again to tell the customer service person that I am about to fax to First Data based on what Security Metrics had insisted to be correct. I was told that First Data cannot deem me compliant without a third party, put on hold for a very long time and told the same thing again. I asked if I could to talk to somebody at First Data who really knows how this PCI thing works and was told that there is no such person.
I called Security Metrics back and was told that the people that I talk to at First Data are just customer service people who do not know about PCI, that First Data has to accept my fax and certify me. They couldn’t give me a name, but did share this e-mail address.
Obviously I have spent much more of my time than the quick $24.95 it would have cost me and it is still not resolved. And now it’s February.
I am prepared to fax my completed 8-page questionaire to (954) xxx-xxxx, but would like to hear from somebody who knows the score. Please respond with some good news.
Thank you,
I also use First Data. I have called and asked about BB charges on my statements… get a Dumb A-s reply of “You must not have gotten the address right when manually entering the number”. I stopped using AVS because they charge me for the service and they do not pass the discount along to me. When I call and ask questions about anything on the statement or ask for my rep, who has changes 3 time in as many years, I get asked if I want to cancel, then get warned about the termination and equipment fee, just for asking them to explain the statement. I also am due for “PCI Security metrics update”. I use straight dial up on my processing machine. Your best bet is to call and get a human on the phone while doing the questionnaire, seems to work better.
I had several merchant accounts with First Data. I only used their virtual terminals when accepting credit cards but was told that any computer that I would ever access First Data’s YourPay site from, would need to be scanned for PCI compliance. Since YourPay makes their site available to any IP address in the world, and I travel and manage my business from many locations – I could not provide every IP address to scan, nor was it a reasonable request since YourPay services were not IP restricted. Further, I have private (not credit cards) information about clients on my home-business computers, and would not allow a 3rd party (Security Metrics) to “scan my computers,” especially because it was not a reasonable request. I asked to be excused from my contract and closed my accounts. With each request my accounts were closed instantly, but I was charged another month of account fees AND more non-compliance fees for accounts I didn’t have open. Today, I had $500 dollars taken from my last account (closed last month) as a penalty for early termination (I had it for more than two years). I have one thing to tell anyone who reads this – investigate Websites Payment Pro – a new product developed by Paypal in reaction to First Data’s terrible treatment of customers like us (my opinion). Guess what folks? One flat fee for ALL types of cards (no surprises for corporate cards), no set up fee, no penalty for closing early – and they take AMEX. I really like their web interface MUCH better than having to figure out all the random deductions that First Data took from my account. Good luck to all who want to stick around and take First Data’s abuse. I’m outa here, and keeping my ear to the ground for the class action law suit.
Websites Payment Pro is not new. Paypal has offered it for at least five years now. On that topic, there’s a good reason that Paypal is still barely a competitor when it comes to businesses. Their support is terrible. They freeze accounts, sometimes permanently, without any warning. Search around the internet for stories about Paypal account limiting policies. For every bad story you can find about a credit card processor, you can find 20 about paypal. I would never trust my business’s ability to process solely on Paypal. Relying only on Paypal is like throwing dice.
Hello EVERYONE!!!!!!
Hate to be the Devils Advocate, but I love Security Metrics. They helped me become PCI compliant and it took 5 minutes!
The charges are dictated by how you initially filled out your contract with FDMS. From my understanding FD customers have a couple of options.
1- you signed a contract that allow FDMS to charge you an annual fee so that when you call Security Metrics they will NOT obtain a credit card number and you just need a password.
2 – FDMS doesn’t charge you an annual fee, which is cheaper, but Security Metrics will need to get a Credit Card # and charge ; validation type 1,2, and 3 type businesses 24.99 a year.
3 – Validation type 4 and 5 is 139.99.
4 – Security Metrics can explain to you how to go about the free version, but as mentioned above it can be a hassle. The reason that the person above had such an issue is b/c (IMHO) there was some teaching/training issues on part of the FDMS rep. Security Metrics does know how to do PCI compliance, if you call and ask them, they’ll tell you, that is all they do! They are right. Security Metrics works with a specific liaison from not only FDMS but hundreds of other Merchant Processors. So the info they give you comes straight from the top.
When I called Security Metrics for my business it really did take five minutes.
DOES IT HELP!!! yeah, look at there website, http://www.securitymetrics.com and right on there home page they have a link that shows you recent news about businesses that have had credit card compromises. Had they have been PCI compliant they wouldn’t have any issues. The whole problem in the entire US and UK business world is that no one will admit that they could be at fault. It is just like not wearing a seat belt, sure you can be a good driver but that doesn’t mean someone isn’t going to smash into your car! So you wear a seat belt!
Just go back to accepting cold hard Cash! Screw these companies with their PCI garbage!
We don’t do any internal processing. Everything is done through YourPay.com 700 transactions per year. Still had to do the pci compliance to get rid of the recurring monthly pci failure charges. SCAM
I believe in protecting card data, but PCI is killing small businesses. Over compensating rules like only allowing one service per server pretty much gaurantees that many small businesses won’t be able to comply. Add to that the fact that most Cloud service providers won’t provide their customers with a binding contract indicating responsibility for card data, and small business has no hope.
If card companies really wanted to solve this problem, all they have to do is provide merchants with a card data storage service. Then the merchant could just pass a token the the card provider and end card data flying around the Internet, or being stored at a milliion different locations. Who knows how to securly store card data better than the card compaines?
Unfortunately, the credit card companies are treating this just like they did their own customers many years ago. They shortened the duration between the time their bill gets mailed and the payment is due, thereby increasing their late fee revenue by 30%. They will never offer services to small compaines to help them address PCI because this is really just a money game. They are making tons of money issuing large fines and don’t want to loose that easy revenue. Providing a storage service would solve the problem, but that means they have to actually work for the money.
Come on Visa, MasterCard, Discover, and American Express! Do the the right thing and HELP all these small companies that are making you a lot of money!!!
I own a small flower shop and only do about 20 transactions a month because most of my customers pay in cash. My company EMS called me and just gave me a link to the PCI survey- they didn’t charge me anything….
How about Evalon Inc charging 60.00 per month
…Hm, I almost tossed out this non descript piece of junk mail.
Then I read security metrix is going to charge me and they have my mechant number! Security of the cards I get is #1, however, this is out of the blue. SecurityMetrics should not contact me it should be my bank.
Security Metrics has been putting injections in our site. We use the Website Pro from Paypal and have used it for years now. Never had our account frozen or trouble with customer service. I call them or email them and they always respond in a day or so.
Security Metrics has been attacking our site for months now. It is so bad that we are losing all our customers because they cannot do a transaction. We are not big like Amazon or eBay and I cannot understand why they are doing this to us. I am sick with much mental anguish that my husband and I are suffering due to to Security Metrics.
If you think they are doing good for your company then you must be new to the internet and business online. The difference is that you contacted them for a scan…..we did not. They are on our site constantly. I think a competitor may have hired them to do this but do not know for sure or who or why.
I go thru a company called Cambridge and I went with them because they charge the least I have seen so far…59.99 one time annual fee…no monthly’s or anything…it seems that this is the industry standard now…so I may as well go with the least expensive…also, if anyone wants the number let me know…agent was good.
We are a small business and use Transtech, but only have 2-3 transactions per month. We got tired of all the fees & increases, so decided to cancel and process any credit transactions through PayPal. Couldn’t cancel until our anniversary, which is getting closer, or get huge fee charged, and they wouldn’t accept the cancel letter until 90 days before.
When we got the PCI letter that listed penalties could start in 2010, we weren’t concerned because by then we’d be cancelled and out. BUT, Transtech auto charged $125 for PCI compliance at the end of Sept, which we didn’t authorize, and now say we don’t have a choice. They acknowledge we are going to cancel the contract, but they consider us “technically” active, even though we haven’t used the service since July when we discontinued our land-line for the cell option. It is really a scam rip off, or they’d be willing to reverse the charge in our situation, since we are not in a position to have any security risk.
And to top it off, we haven’t done anything different on our end to get compliant, just got a fee charged, so how is that compliant? Any suggestions???
Every merchant service company that I know of has a PCI fee, whether it is a monthly, bi-annual or annual fee, all companies charge this fee from my knowledge. The PCI fee is to cover the costs of the changes in compliance that Visa and Mastercard make every April and October. This covers the processors cost to update the systems so that there is not any problems internally for compliance. One thing to check for is go on Visa’s website and find out if your processor that is charging you this fee has met all of visa and mastercards compliance regulations if they have they will appear on this list http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf , if they haven’t you should probably ask them to reverse your PCI fee or find a new processor because I certainly would not want to be processing my transactions through a company that is not meeting minimum security standards. Also if you are concerned about your PCI compliance some merchant service companies provide breach insurance which will protect you if your company ever has a breach or lost card holder data. My biggest suggestion for all merchants is to make sure to read your contract, check your merchant service provider’s BBB rating and make sure they are in compliance because it is in the best interest of your business. Also if you are getting charged a really high PCI fee, this would be above $60.00 a year I would suggest a new merchant service provider because anything above that is just excessive. If you have a cancellation fee see if your new merchant service provider will credit your account for your cancellation fee or at least credit part of it. This can help lessen the blow of a major early termination fee. Also with Paypal if you have their virtual terminal or payments pro service you get hit with a monthly $30.00 fee which is higher then the industry standard for monthly fees. Also you will be paying a higher rate which makes you end up paying more then if you were to pay a yearly compliance fee. Either way they are still covering there costs because they are charging you more. Hope this helps you understand your fees.
Yes I’d like the number for Cambridge. I had first data and i cancelled it and am using propay. It SEEMS awesome as long as you don’t do more than $3000 per month in sales…
all security metrics uses to scan you systems is nmap and a few other open source software to scn for open ports. thats all they really do
Anyone who gets PCI compliant should be hanged publicly. This is the biggest fraud since the Federal Reserve. Just like the Federal Reserve the PCI Security Standards Council was founded by and for banks, for profit through manipulative scam fees and for the protection of their money. Everyone knows that a bank is responsible for stolen card charges. The banks didn’t have to fight the law though. Instead they made the public pay for it through PCI compliance.
The banks are not responsible for stolen card charges. The charges go back to the merchant, and then to the processor, and then to the acquirer. There’s no way the bank is on the hook at any point in the fraudulent charge process. They are also not making anything from PCI fees. I personally have major reservations about the way PCI has been presented, but what you’re saying is completely inaccurate.
Furthermore, Congress has openly stated that PCI is not near enough. Since merchant’s ignored Visa/MC warnings about PCI, we’re in a painful situation in trying to get everyone compliant. It’s going to get more more strict in the years to come.
I got hit with 4 charges from my credit card processor – $99 each – for two e-commerce sites, 1 wireless credit card machine and 1 plug in credit card terminal. I can see where Security Metrics can scan my websites, but how can they scan my physical credit card machines I have in my small office at home? How can they tell if my credit card machines are PCI Compliant? Has anyone started a class action suit as of yet. We are small business owners and had to get a loan for the $396 PCI Compliant fees for Security Metrics. We also had no choice – the credit card processor – Integrated Merchant Services – just took the money from my checking accounts.
One more thing. If my credit card processor and my credit card gateway are both PCI Compliant, then why do I have to be PCI Compliant. We are already getting fee-d to death by both of them for every transaction and now we have to pay more fees.
I understand everyones frustration with PCI compliance but is something that is very real and for all the complaining for 70-$100 a year this service is really not much. Just think of what other business expenses you have that do not really do much for you. Yellow pages, etc.
I am being charged $139.80 per year for PCI Compliance by Transaction Solitions, (a provider of First Data). I am switching to Sam’s Club, (also a provider of First Data), because they have offered me a PCI Compliance fee on only $39.00 per year. Also they are lowering my MC & Visa discount rate from 2.035% to 1.49%.
I wouldn’t be too sure on Sam’s being cheaper. We and just about every other reasonable processor in the country is lower priced than sams club. The rate you’re quoting is only for qualified transactions. You end up paying for it on downgrades. 1.49% is a debit only rate also. Your credit rate will be more like 1.7 – 1.8%. Just by the fact that Sam’s is trying to use smoke and mirrors to get your business, I would stay away. There’s plenty of honest, upfront providers out there that have cheaper PCI fees than $140 per year.
First off, security metrics isn’t at fault here. Your processor has outsourced PCI to Security Metrics and your processor is responsible for these charges.
Second, you should be able to get a refund for the extra merchant numbers. A business only needs to get PCI certified once. It’s ridiculous that they wouldn’t refund you for the accounts past the first on on this.
Lastly, as long as your business plays part in accepting a credit card, you are just as liable for a breach as your payment gateway or processor.
I think based on the experience that you are having, you need to find a new processor. It’s completely unacceptable that you would be charged multiple times for this. The fact that they wouldn’t refund past the first charge just makes no sense. PCI is not something that is going away, but it shouldn’t be a burden to the point that it’s really hampering your business. Your processor obviously doesn’t care for your business even though you have several accounts with them. Go find somebody that does.
Not true! I contacted First Data, who was my 1st processor ( I canged Merch Serv Providers–dont get me started on why–) the 2nd processor was also First Data…they have been charging me for the past 3 months ($129/yr)for PCI Non-compliance, but refuse to recognize the Securrity Metrics compliance documentaion I sent them. Now, they say: “well, we often will offer to refund those fees if you agree to stay with us…” No way will I stay with these vipers. between PCI fees and their constant new fees, I’ve had it with First Data!
The issue we have with security metrics is that they don’t seem to apply the same PCI standards to themselves.
On a recent scan they highlighted that we had a login form (username/password) visible on a http connection rather than https (on our homepage). We pointed out that they form submitted over https so no information was sent to the server unencrypted. They advised to pass the scan both the form and the page needed to be https. We made the changes to allow us to pass the scan.
I then realised they have the exact same setup on their own website. You login from their homepage using a form which is viewed over http and submits to https.
Surly they would fail their own scan?
Within they’re website you can purchase additional scans on other domains etc and can pay by credit card , so one would assume they need to be PCI compliant themselves?
Seems odd that they would appear to fail their own standards?
I did raise the issue with them but received no explanation.
Here’s another angle:
I maintain a web site on Bluehost for a non-profit. Last summer we switched to a new bank and credit card gateway.
In April 2009 we were deemed noncompliant because our host (Bluehost) was running php “older than 5.2.9.” Several emails back and forth from BH support to our PCI Compliance folks (Security Metrics) finally convinced Security Metrics that the security fixes in 5.2.10 had been backported into BH’s version of 5.2.9.
Then in December we began the game all over again. The site was deemed noncompliant because our host was running php “older than 5.2.12.”
In January 2010 BH support told me they were in final stages of testing for implementing 5.2.12. Two months later (and several emails) BH still has not implemented 5.2.12 and we are being levied an additional $20/month for each month “out of compliance.”
NOW — get this — before BH implements 5.2.12, my latest non-compliance email from Security Metrics today says they require PHP 5.3.2. This leapfrog game seems to have the PCI Compliance cops at least one step ahead of Bluehost. Gobs of my time and aggravation have been spent and now it seems the game is rigged against me and there can be no end. I’m probably going to be forced to change banks or change hosts. Anyone else have this experience??
The SecurityMetrics site fails security 101. They show the currently logged in user ID in the upper right corner of the web-page. This is severe and basic security failure. The login screen is the only place where a user ID should appear in plain site. After login, the information should never be displayed. Why? Because anyone looking at your screen can see 1/2 of the info needed to login. All they have to do is guess the password.
I raised this issue with them. One supervisor said that they had no way to change the site. Hmmmm. It is their site. They should be able to change it. Further, they said it was not an issue because the connection is secure. They missed the whole point of security. I cannot trust such an organization.
Hey guys!
I’m totally agreed that that PCi compliance is total shit.
Here is how one my fried solve it exactly with security metrics.
1) get out from your webserver heet head string that said which php version you run. And right after security metrics (and anyone others) stop claims about old php.
2) hire site admin and face him the aim: be compliance with exactly PCi compliance provider.
And, clearly, find someone enought cheap for you, because all it need to banks, not us, and all it just take money from our pockets.
I bet 99% people will agree with me.
I own one small shop storefront, yet pay 3% fees + fixed 20 cents + various fees for special rewards cards + statements fees. Now Bankcard Services has added $100 PCI compliance fees globally due to the prevalence of fraud abuse. If they can’t implement a system with the money they are generating from all those fees that is secure, why am I paying them an additional fee for their service? Here is what I am going to do, I am going to charge all my customers 5% more for credit card use, as a CC tax. I am going to accept and encourage checks and/or cash. As a merchant, my only way to fight is by adopting this approach, VISA and MC should ultimately be hurt by this decision; but unfortunately, customers continue to blindly do business by credit until they see it impact their wallets visibly. I hope others join my campaign.