What Are PCI Compliance Fees and Should You Pay Them?
As a small business owner, you have a seemingly endless number of regulations to abide by. You need to create a business entity, manage taxes, apply for licenses, and do tons of other tedious administrative tasks.
And when it comes to payments, compliance requirements are stricter and even more important. You’re dealing with people’s financial and personal information. That’s sensitive stuff!
Enter PCI compliance. Below, we’ll take a look at what it is and why it’s important for merchants. We’ll also explore how merchant service providers charge for these services, typical PCI compliance costs, and some other useful information about this pesky expense.
What is PCI DSS compliance?
If your business accepts credit card and debit card payments, you’ll need to comply with a set of data security standards established by the PCI Security Standards Council. These guidelines are called the Payment Card Industry Data Security Standard (PCI DSS) and they’re meant to protect your customers’ credit card information against security breaches.
Customer data is highly sensitive, and PCI compliance safeguards it using various measures for handling and preserving cardholder data. While card brands like Visa, Mastercard, Discover, and American Express require PCI compliance, its enforcement typically lies with individual processing companies.
What are PCI compliance fees?
PCI compliance fees are what you pay your credit card processor to ensure that your merchant account meets all applicable PCI DSS requirements. These are sometimes passed on to the merchant from the payment processor and are hidden fees you want to look out for when assessing payment processing options.
PCI compliance is regulated at the state level, and merchant account providers may also set their own standards for data security. It’s important to familiarize yourself with your merchant account provider’s PCI compliance standards so you can find a compliant payment processor to avoid additional fees.
If a payment processor does charge a PCI compliance fee, you’ll want to ask if it comes with extras—many will offer ongoing consulting services to ensure you get and stay compliant. It’s important to ask about this information! You want to avoid being scammed by the PCI compliance fee.
Generally speaking, it’s better to choose a provider that doesn’t charge you extra for PCI compliance. At Payment Depot, for example, PCI fees are included in your membership fee, so you don’t have to worry about more costs.
It’s important to note that paying PCI fees doesn’t entirely free you from the responsibility of ensuring that your account is PCI compliant. While most processors will usually provide certain services to ensure compliance from a technical standpoint (more on this later), you’ll still need to fill out a Self-Assessment Questionnaire (SAQ) every six months. This is a series of yes-or-no questions that will tell you if you need to make any changes to become compliant.
What are PCI non-compliance fees?
Your payment processor may impose PCI non-compliance fees upon you if your account fails to meet the necessary PCI compliance standards. It’s essentially a monetary penalty for not abiding by the established regulations.
Unfortunately, paying a PCI non-compliance fee doesn’t fund any attempt to bring your business up to standards. PCI non-compliance fees, therefore, are a financial drain on merchants.
As such, one of the most common reasons that merchants are charged a non-compliance fee is the failure to update or complete the Self-Assessment Questionnaire (SAQ).
Here’s something else to look out for on your processing statements: PCI compliance fee and PCI non-compliance fee for the same period. Remember, these pesky fees are tricky and processors who charge them will try and sneak them in if they can.
Why processors charge PCI compliance fees
We mentioned above that not all payment processors charge PCI compliance fees. There are various reasons why they do, typically involving some sort of added service for PCI compliance. Here are some examples:
- Cyber liability insurance: In the unfortunate scenario where you do face a data breach of some kind, come processors will include insurance to cover associated costs and damages.
- Security scans: PCI requires merchants to run a security scan at least quarterly. Some payment processors will handle this for you as part of their PCI compliance fee. These scans must be done by an Approved Scanning Vendor (ASV).
- Ongoing support: Your payment processor might provide ongoing consulting for changes to PCI compliance, as well as tech support for any questions or issues that pop up.
How PCI compliance fees are calculated
Because they’re charged by the processor, PCI compliance fees are also set by the processor. Therefore, the exact numbers vary. However, they’re all calculated in a similar way: The processor determines what their fee structure is and decides if PCI compliance is included in those fees.
If the answer is no, they tack on a number depending on the additional services they would be providing and their target profit margin. You may be charged a monthly fee or an annual fee, depending on how the processor handles billing.
There are four ways that payment processors assess these fees:
1. An additional fee charged, no services provided. Unfortunately, there are some sketchy players in the payments industry who charge a fee for PCI compliance but offer no services in return. Read the fine print carefully, ask the right questions, and steer clear of such providers.
2. No fee charged, additional services provided. The most merchant-friendly option. Your processor will provide certain services to ensure compliance but won’t be charging you any extra fees in exchange.
3. An additional fee charged, additional services provided. Some processors will charge a fee for the services they provide in order to ensure PCI compliance. Make sure that the costs are reasonable and the services adequate.
4. No fee charged, no services provided. In this model, your payment processor essentially leaves PCI compliance in your hands. This is quite rare these days, especially as eCommerce is more commonplace and data security is of utmost importance.
Payment Depot takes the second approach, which is what you want to look for in a payment processor.
The bottom line
Overall, you want to find a payment processor that is PCI-compliant, doesn’t charge PCI compliance fees, and offers ongoing services to ensure compliance. Payment Depot checks all three boxes with membership-based pricing and no hidden fees. On average, our members save up to $400 a month on credit card processing fees.
Quick FAQs about PCI Compliance Fees
Q: What is PCI compliance and why is it important for businesses accepting credit card payments?
PCI compliance refers to adhering to the Payment Card Industry Data Security Standard (PCI DSS), a set of data security guidelines established by the PCI Security Standards Council to protect customers’ credit card information against security breaches. Compliance is crucial because it helps safeguard sensitive customer information and is required by card brands like Visa, Mastercard, Discover, and American Express.
Q: What are PCI compliance fees, and how do they relate to payment processors?
PCI compliance fees are payments made to your credit card processor to ensure that your merchant account meets all PCI DSS requirements. Payment processors may charge these fees and sometimes pass them on to merchants as hidden costs. It is essential to look out for these fees when comparing payment processing options.
Q: How do payment processors charge for PCI compliance, and what services may be included in these fees?
Payment processors decide their fee structure and whether PCI compliance is included in those fees. They may charge a monthly or yearly fee based on the additional services they provide and their target profit margin. Some services offered with a PCI compliance fee include cyber liability insurance, security scans, and ongoing consultation and support for PCI compliance changes.
Q: What are the four ways payment processors assess PCI compliance fees, and which is the most merchant-friendly option?
The four ways payment processors assess PCI compliance fees are:
- Charging an additional fee with no services provided.
- No fee charged, additional services provided (most merchant-friendly).
- Charging an additional fee, additional services provided.
- No fee charged, no services provided.
The most merchant-friendly option is when a processor provides additional services for PCI compliance without charging extra fees.
Q: What should merchants look for in a payment processor to avoid additional PCI compliance fees?
Merchants should look for a payment processor that is PCI-compliant, does not charge PCI compliance fees, and offers ongoing services to ensure compliance. Payment Depot is an example of such a provider, as they offer membership-based pricing with no hidden fees and help members save on credit card processing fees.