Is a PCI fee just another junk credit card processing fee, or is it a legitimate charge? Actually, it’s both. Some credit card processors charge a PCI fee and provide no compliance support, others charge a fee for providing compliance scanning and assistance, and some don’t charge a fee at all.
PCI DSS stands for Payment Card Industry Data Security Standard, and it’s essentially a set of guidelines that businesses follow to ensure cardholder data remains secure. PCI is managed by the PCI Security Standards Council, and PCI compliance is required by Visa and MasterCard for any business that accepts credit cards.
The PCI compliance mandate leaves the responsibility of validating compliance for a large segment of merchants in the hands of processors. This freedom has allowed processors to approach PCI fees in three general ways.
The processor charges a PCI compliance fee and also provides compliance support.
A PCI fee is legitimate and even beneficial to a business if the processor provides compliance support and the fee charged for the support is reasonable.
Navigating PCI compliance is confusing and time consuming — especially for e-commerce businesses. In light of this, many processors provide support to help businesses navigate the perils of PCI compliance such as self-assessment questionnaires and quarterly network vulnerability scans.
If the PCI fee charged for such support is reasonable, it is often less than a business person would pay if she were to navigate PCI on her own.
For example, a legitimate PCI fee would be something in the area of $70-$120 a year, or about $6-$10 a month for compliance support involving scans and assistance completing compliance questionnaires. The PCI fee may be greater or less depending on the level of support the processor provides.
The processor charges a PCI compliance fee and provides little or no compliance support.
Paying a PCI fee for nothing is very similar to paying a PCI non compliance fee – both types of charges are pure profit for the processor.
Contrary to what many sales people claim, Visa and MasterCard do not charge processors anything for PCI. There is no cost the processor must pass along to cover its expenses from the card brands.
If you’re paying a PCI fee, you should be getting something for your money. If you’re not, you’re simply padding your processor’s pocket.
The processor does not charge a PCI compliance fee.
The burden of validating PCI compliance has fallen to individual merchant service providers and processors, and many have chosen to let businesses tackle PCI compliance on their own.
Generally, there are two reasons why processors take this approach, and one is actually in the best interest of businesses.
PCI fees are calculated on a per-case basis.
PCI compliance and validation is less expensive for retail businesses than it is for e-commerce businesses, yet both types of businesses pay processors the same monthly or annual PCI fee.
Processors that allow businesses to handle PCI on their own ensure each business pays its fair share for compliance and validation instead of subsidizing the cost of PCI for other businesses.
Lower fees provide a leg up on the competition.
It’s no secret that the processing industry is very competitive, and processors are always looking for ways to appear less expensive than the competition. Slashing a monthly or annual PCI fee from the rate sheet is always seen as a plus by a prospective client.
Rarely, processors will provide PCI support at no charge. A couple such processors can be found in CardFellow’s free marketplace, but finding them elsewhere is pretty tough.