I am sure there are going to be some industry insiders that wildly disagree with what I am about to say, but here goes any way. I believe these fees, for the most part, are just another profit center for this industry. Here is why:

• If you pay these fees are you made PCI Complaint? Answer: No you are not.
• Are you given tools or guides for becoming PCI Compliant when you pay these fees? Answer: Only sometimes.
• If you have a security breach and you were not following the rules of the PCI Security Standards Council are you insured against the fines you’ll receive? Answer: Probably not.

So what are you getting for these fees? Most of the time – zip, nada, and nothing!

I know there are exceptions to this but they are few and far between.

The next issue I have with these fees is they typically are added without any foreknowledge of the merchant. In other words they just show up on the statement, with what seems to be hope that the merchant will not see them. If these fees are legitimate why the secrecy? If these fees bring real value why not communicate what that value is? I think the answer is obvious – they provide little to no value so the fees are snuck on to the statement.

The last issue I am going to bring up (I could bring up many more!) is the lack of choice. Typically these fees are not optional, they are mandatory. These fees almost have a feel like they were mandated by the US Government or maybe even God! How dare we question such fees! Here is why I am puzzled about the lack of an option. I have a client that is a restaurant, they have a band new terminal and pin pad, the software file that was installed on that terminal is PCI compliant, the Pin Pad is PCI-PED approved, they have taken their PCI Self Questionnaire. So why do they need to pay this fee, they are compliant, why don’t they have the option to say no to this fee? That would be fair and logical wouldn’t it? I am afraid the answer is that providing such an option would reduce the profit of the merchant account provider.

The truth is that PCI Compliance has created some much needed data security guidelines while at the same time providing a wonderful tool to increase profits for this industry. We can use the fear of a $50,000 fine for not being compliant to manipulate you into paying fees like these. I know this hard to believe that anyone in the financial services area would use such tactics to increase profit. Wait a minute, that is not hard to believe at all is it!

Here are my suggestions for dealing with these fees:

1. If you see these fees on your statements call your provider and ask what you are receiving in return for your money. If you don’t like their answer find a provider who either does not charge these type of fees or actually provides something of value for the fees.

2. Educate yourself on becoming and staying PCI Compliant. Here are some links check out:

The Basics of PCI Compliance

PCI Compliance Guide

PCI Security Council

Security Metrics (They will assist you in becoming compliant)

PCI DSS News and Information Blog

PCI Compliance Demystified blog

Bottom line: Educate yourself about PCI Compliance, take what ever steps you must to become PCI compliant and stop paying these fees if they provide no real value for your business.

Please feel free to add your comments below. I would love to have someone defend these fees, I am very open to being wrong on this.

Related Posts

• Are You PCI Compliant?
• Suggested Read: PCI DSS Blog
• More on Free Authorize.net
• Video: Merchant Accounts – What to Look For and Ask About, Part 2
• Insiders Thoughts on Interchange Plus
• Video: Are Early Termination Penalties Really That Bad?
• Breaking News: Update on the TJ Maxx stores PCI Issues!

Are You PCI Compliant – By Dawn Rivers Baker

Enjoy!

Related Posts

• Suggested Read: PCI DSS Blog
• Merchant Account Compliance Fees – Legit?
• Breaking News: Update on the TJ Maxx stores PCI Issues!
• The Basics of PCI Compliance
• Why Comply with PCI?
• What is up with the CVV2 Code?
• Make Some Money and Feel Good Doing It!

http://treasuryinstitute.org/blog/

Check it out and let me know if you find that blog to be has helpful as I think it is.

Related Posts

• Are You PCI Compliant?
• Merchant Account Compliance Fees – Legit?
• The Basics of PCI Compliance
• Why Comply with PCI?
• Introducing the iPhone Virtual Credit Card Terminal
• Video: Merchant Accounts – What to Look For and Ask About, Part 2
• Authorize.net – Moving in the Right Direction?

They’ve nailed some of the ring that stole 45 million cards’ worth of information from TJX Companies. 11 people have been charged, and the ringleader, Albert Gonzalez, could get life in prison. Life.

And in addition to TJX, check out who else Albert’s gang targeted: BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, Dave and Buster’s Restaurants, and DSW Inc.

Those are some big names.

Aaaaand. in addition to the $40 million that Visa fined them, TJX also settled with MasterCard for about $24 million-or a total over $60 million!

Well, I’m sure you understand the importance of security and PCI DSS compliance. If you want to read more about this breaking news, here are some links:

CNN

NY Times

Associated Press

Otherwise, if you want to start working on your own credit card security, start with this article here.

Related Posts

• Are You PCI Compliant?
• Merchant Account Compliance Fees – Legit?
• Suggested Read: PCI DSS Blog
• Surcharges and Conveniece Fees – Can You Charge Your Customers?
• The Basics of PCI Compliance
• Why Comply with PCI?
• What to do With Fraud

Before I get to the meat of the matter, let me finish what I began last week. It bugged me that I only knew what TJ Maxx was supposed to be fined, so I went and found out what they were fined. Rather than the roughly $100 per stolen card that was guessed at, TJX settled with Visa for about $1 per card. Rather than $45 Billion, they paid $45 Million. Still, though, that’s a lotta’ dough. Visa then went on to charge TJX’s acquiring bank $880,000 for not making sure their merchants were PCI compliant.

So there you are. Now, if you’re a big merchant and do 6 million card transactions a year, Visa will charge you $25,000 a month for each month they discover you aren’t compliant. And they have similar fines for all the not-that-big merchants.

Anyway, on to PCI DSS standards. (PCI DSS stands for Payment Card Industry Data Security Standard.) The key, easy concept is: Protect your customers’ data.

You first need to think about where your customers’ info is taken, what happens to it during the transactions, and then where does it go afterward. Here are some key questions for you to consider:

1. Are your terminals PCI compliant?
2. Do the receipts truncate the account numbers?
3. Is customer information winding up on your computers?
4. How are your firewalls?
5. Is data encrypted?

Now I have you thinking don’t I? Don’t freak out just yet! Below is the actual list of 12 requirements for your business to be considered PCI compliant (you can find them here on the PCI Security Website):

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Obviously these two are common sense.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

AHA! That’s vague. Well, things like having account numbers truncated on receipts and blocked out in general on your system is one example. Also, don’t store customer identity information in a generic Excel file. Just because some database program works well for tracking your expenses doesn’t mean it’s secure enough to withstand a hacker assault. Use programs specifically created for that purpose that are listed as compliant.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Back to common sense on that one

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Yup. Common sense again.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Aha again! Do you keep hard copy FILES on your customers? Or if electronic, can any old Tom, Dick, and Employee use the computers cardholder data is stored on?

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Here’s an easy extra for 9 and 10: If you can, have two servers that aren’t networked together. One can be for accessing the Web by the rank and file, doing business and whatnot. The other can be for cardholder information use only. That way, if a hacker breaks into the former system, your customers are still safe!

Requirement 11: Regularly test security systems and processes

There are many companies that will provide security audits for you. One great place is Security Metrics.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

That’s more than enough information for one post. I’ll be back in a few days with a much shorter post providing a couple tools to immediately get on the ball with this. Meanwhile, you can check out the following links:

PCI Security Council

PCI Compliance Guide

Related Posts

• Why Comply with PCI?
• Are You PCI Compliant?
• Suggested Read: PCI DSS Blog
• How Do Merchant Accounts Work?
• Mid-Qual and Non-Qual Typically Means Hidden Fees
• Merchant Account Compliance Fees – Legit?
• Surcharges and Conveniece Fees – Can You Charge Your Customers?

It’s a Pain in the You-Know-What, but Necessary.

PCI seems daunting.  I’m sure you’ve heard about it.  To start, it’s actually PCI DSS that we’re concerned with, and that stands for Payment Card Industry Data Security Standard.  “Data Security Standard” is the key here.

Basically, the idea is to prevent identity theft.  You may remember the news about TJ Maxx and fellow TJX companies losing information for 45.7 million credit and debit cards.  Yeesh!  This was a couple years ago, and I bet they’re still shelling out for the fines incurred.  I don’t recall the final numbers, but it was estimated TJX’s fines were between $4.5 and 8.6 BILLION (with a “b).

Now also think about the pain this caused for any affected cardholders whose identities were stolen.

As you can tell from the size of the fines, as well as thinking about the security of your own credit cards, keeping data safe is a high priority-for you, for the card companies, the PCI Security Council (put in place by Visa, MasterCard, Discover, JCB, and American Express), and the consumer.

This post is getting long already, but it’s important to know you MUST learn about PCI compliance for two reasons:  1)  The Golden Rule-It’s just good sense to protect your customers, as you’d hope where you’re shopping protects you; and 2)  There are heavy, heavy fines for not being compliant once you’ve been breached.

I’ll outline the steps to PCI Compliance tomorrow, but if you want to start investigating yourself, check out the PCI Security Council’s website, here or this rather good site, PCI Compliance Guide, that is a little more step-by-step, here.

Related Posts

• The Basics of PCI Compliance
• Suggested Read: PCI DSS Blog
• Are You PCI Compliant?
• Breaking News: Update on the TJ Maxx stores PCI Issues!
• What is up with the CVV2 Code?
• Merchant Account Compliance Fees – Legit?
• Introducing the iPhone Virtual Credit Card Terminal

Many merchants believe that adding a cardholder’s three or four digit CVV2 code for a “card not present” (CNP) transaction will help qualify the transaction for a lower discount rate. However that is not the case; the CVV2 code is only valuable to protect against credit card fraud and has nothing to do with rate qualification.

CVV2 stands for Card Verification Value and was introduced by MasterCard in 1997 and Visa in 2001. For ‘swiped’ transactions, the value is referred to as CVV1. Each of the card brands has its own acronym:

• Visa: CVV2 – Card Verification Value
• MasterCard: CVC2 – Card Validation Code
• American Express: CID – Unique Card Code (and 4 digits)
• Discover: CID – Card Identification Number

Merchants are able to configure payment processing systems, like payment gateways and Point of Sale software, to accept or decline transaction requests based upon the match or mismatch of CVV2 information. For example, if a merchant creates a rule to decline all transactions where the CVV2 value does not match, the authorization request could be successful with the issuing bank, but the transaction will be denied by the merchant. Even though the transaction was denied by the merchant, the consumer’s card will still be authorized.

One thing to know about this code is that PCI DSS compliance prohibits merchants from storing the CVV2 code. For recurring billing, merchants can accept and validate the CVV2 value during the initial authorization but cannot store it for additional transactions. This should not be problem since after the initial validation, there really is no value in storing this code.

Related Posts

• The Three Price Points of a Merchant Account
• Merchant Accounts for the Rich and Famous
• What is Straight Pass Through?
• Tip of the Iceberg – Missing Debit Card Rate Reduction
• Interchange Plus Explained
• Mid-Qual and Non-Qual Typically Means Hidden Fees
• Video: It’s Time to go Interchange Plus! (October Rates Changes)

Related Posts

• Merchant Account Compliance Fees – Legit?
• Are You PCI Compliant?
• Suggested Read: PCI DSS Blog
• The Basics of PCI Compliance
• Why Comply with PCI?
• What is up with the CVV2 Code?
• Merchant Account Gift Card Program = Increased Revenue