The Green Sheet Online Edition
June 14, 2010 • Issue 10:06:01
What does a merchant get for a PCI fee? - Part 1
I've been confused about what a merchant gets with a PCI fee. What is the fee designed to do? Enable a merchant to ignore the Payment Card Industry (PCI) Data Security Standard (DSS)? Insure the merchant against PCI fines? Pay for the processor to become PCI compliant? Pay for the merchant to become PCI compliant?
In an attempt to learn more, I posted on GS Online's MLS Forum that the monthly PCI fee has become increasingly common and that it seems to range between $5 and $15. And I asked Forum members the following questions:
- Is this PCI fee really as common as I am indicating? It seems that most acquirers are now charging it, and this fee has replaced some of the margin compression from lower rates.
- Is my assessment on the range accurate, or are you all seeing numerous instances outside of the $5 to $15 per month range?
- It's unclear to me what this fee covers. For example, some acquirers include insurance with the monthly fee in case a breach should occur. Other acquirers state the fee allows the acquirer to be PCI compliant. What does it really include and exclude?
- Is the logical conclusion that this is just another fee? It seems, over time, we acquirers will get smart enough (I'm optimistic) that we will be deploying products that are inherently secure. Upon doing so, I don't see this fee going away. Do you agree?
- If there is a breach at a third party (gateway, for example) used by many merchants within a portfolio, and the insurance company does not pay (for whatever reason), is the acquirer ultimately liable because it was the one charging the fee?
Many strong opinions
GMARTIN was the first to respond. Brief, yet clairvoyant, he said, "And let the flood gates open ..." And open they did. Four pages, 51 replies and 733 views later, I begin this article. I can only hope my future posts will be as thought provoking.
FASTTRANSACT did a good job of framing an acquirer's concerns: "Let me begin with that PCI is more complex than just a scan," FASTTRANSACT wrote. "It is about educating merchants to protect cardholder data within their daily business practice.
"I know that some ISOs outsource their PCI compliance requirements to third-party vendors who offer a monthly scan and insurance in case of a breach. These services range from $20 a month to an annual fee of $99+.
"However, merchants and MLSs/ISOs need to look beyond the fee and the scan. ... To take the time with each merchant they [the MLSs] touch to go over their procedures and educate them on the consequences. If not at the MLS level, then the ISO needs to provide this service. It protects the merchant, and it protects both the MLS and the ISO."
FASTTRANSACT went on to argue that educating merchants is valuable and expensive, but necessary. Therefore if you are providing an educational service, a modest fee is acceptable, and the merchant is obtaining a valuable service.
She finished with, "There are numerous ISOs who do provide a quality PCI program and keep the costs/fees to the merchant relatively low with a strong value-for-value component." FASTTRANSACT, however, was in the minority of respondents.
A call for education
CLEARENT was a bit more cynical: "We, as an industry, are all too worried about what might happen at the switch, or at our host, etc.," he stated. "So a fee gets charged to cover that expense ... and, oh, maybe get info from the merchants.
"PCI is just a buzzword now. Truth is we should be educating our merchant base, over and over, about data security. It should become a mantra for all of us.
"A merchant is only secure the minute they complete the questionnaire and abide by the needs or instructions. They can do what they want and afterward be out of compliance.
"So, let's be real. The cost charged the merchant isn't for their compliance; it's for the host's compliance cost coverage. That's OK, if it's disclosed as such.
"Lastly, the argument about insurance, I am sure, is going to arise. When it does, consider who the insured is and if the true cost is disclosed. In most cases, the insurance plans I have seen have a markup, which, if I am not mistaken, is called profit. Again, not a problem, if everyone understands it."
CCGUY reported that he has seen fees as high as $30 per month. He cited statements in which a merchant had both a monthly PCI fee and an annual PCI fee in addition to a "standard" annual fee.
He also posted one of my favorite comments on this thread in a separate post while describing the complexity a merchant encounters while getting an integrated POS system into compliance: "Merchants are businesspeople, not computer geeks!"
MARINESTEBAN brought an entirely new perspective to light. He asked, "What about those charging a 'noncompliance fee'? Does that means that the [merchant] customer is not PCI compliant, and instead of being [brought] to compliance or shut down they get a free pass as long as they pay $xx.xx/month?
"Sounds like a cop giving out tickets to drunk drivers instead of taking them in."
ALEXPHER acknowledged the costs in maintaining compliance but shared an additional question.
"Without doubt, there are costs involved for ISOs to become PCI compliant themselves, but they are recovering their own costs by charging ridiculous fees to their merchants," he wrote. "The processors are PCI compliant, too, but none of them passed on their fees to the ISOs. So where is the logic in charging the PCI compliance fees by ISOs to their merchants?"
CCGUY shared his experience and distrust of a PCI company that discussed the profit potential during a web presentation for MLSs.
He wrote, "A few things that stuck out from the meeting: 1. More than three times he mentioned that PCI compliance is an opportunity to make money. 2. Kept saying that PCI is a big time profit center. 3. Costs ... here is an attention getter! Merchant with dial-up cc machine $5 a year! A year!
"Merchant who needs a scan $15 a year! And he says you can charge $5 a month and $10 a month or a yearly fee to your merchants."
STEVEN_PEISNER reminded us that even if the card networks were not pushing us all toward PCI compliance, state law would, as nearly all the states have enacted their own breach laws, which all have penalties. Additionally, he provided a strong argument in favor of the PCI fee.
"But if a merchant couldn't afford to pay the fines assessed by the card associations and/or any litigations from issuers (including the cost of reissuance), it would be the responsibility of the ISO/MSP [member service provider], and in that case, I can understand the need to charge each merchant on the books a fee for PCI compliance," he wrote.
"The collected fee then becomes a reserve 'in case of catastrophic loss' derived from a merchant. I believe that in this equation the common denominator is the fear of loss versus actual loss."
A need for dialogue
CLEARENT added that the topic is "too hot with way too many emotional responses today. I think the article, no matter how well presented, has the potential to be misread and result in people thinking it not an article, but an opinion ... doesn't matter how objective.
"The simple truth, from reading all the comments, is this: we, as ISOs, aren't educating the MLS or the smaller ISO well enough. We are not taking the time to inform our ISA [independent sales agent] partners and train them.
"I would like to think I am, as I have been very intentional in doing so, but obviously, across the industry, that doesn't seem to be perceived. As long as it's called a money grab all the time, there is information that isn't getting out there. Only pieces.
"For that reason, I suggest all the big players out there look inside, and reach out to your ISA/ISO relationships. Take the time to call them or email them, and give them enough information to open a dialogue.
"And you ISAs/ISOs out there with complaints and concerns: get your questions answered. If you are still not happy, find a partner who makes you happy."
More to come
Many opinions expressed in the Forum focused on dissatisfaction with the fees, which is understandable, given my questions. In the second part of this article, we will hear further thoughts from MLS Forum members, as well as find out what a respected compliance professional has to say about the assessment of noncompliance fees and who ultimately owns responsibility for a breach.
Regardless, when in doubt, sell something!
Ken Musante is President of Eureka Payments LLC. Contact him by phone at 707-476-0573 or by e-mail at firstname.lastname@example.org. For more information, visit www.eurekapayments.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.