Who is PCI and why is he charging me every month???

If you are like a lot of merchants when you take a close look at your credit card processing statement you will see a $20 to $35 monthly fee for PCI non-compliance. PCI or actually “PCI DSS” stands for Payment Card Industry Data Security Standards and is a list of requirements for all companies that process, store, or transmit credit card information. These standards were created in 2004 to focus on improving payment security. Then in 2006 PCI DSS 1.0 was released and businesses accepting credit card payments were required to be compliant. Version 1.0 was the first time all of the card brands supported one security standard for card payments. Unfortunately, less than 25% of small businesses have become compliant, and processors charge the rest a “non-compliance” fee until they go through the procedures to become certified.

In this article we will go over some details about PCI and shed light on a topic that many merchants feel is unnecessary and many never go through the certification process.

Most small business owners see PCI as an added expense both in time and money, but the truth is the costs are quite low when compared to the potential risks. Many small business owners think they are too small for an attacker to spend time going after them or that since they don’t process online transitions that they are safe from data breaches. That being said as a business owner you may be more vulnerable than you think. Small businesses are far more likely to have unresolved system vulnerabilities making them much easier targets. In fact, it could take an attacker weeks or months to beach a large target, but many small businesses can be breached in a matter of minutes. Not just talking about e-commerce businesses either, in Verizon’s 2015 Data Breach Investigations Report one of the most affected industries for POS intrusion was retail. The PCI requirements are designed to teach you about data security and help you secure your business. Below are some key points pertaining to compliance and your business.

Self-Assessment Questionnaire:

We get many complaints from merchants that say the self-assessment questionnaire (SAQ) defeats the entire purpose. They say things like “what keeps people from just filling it out in a way that says they are complaint”, and I get their point, however I think this is the wrong way to look at it. The SAQ isn’t about a business saying they are secure; it’s about becoming more secure. On a conference call a couple years ago, a leading PCI security vendor made a good point. He said every business should treat the PCI requirements as a way to learn about securing their business and they should use it as a tool to make incremental changes each year. The card brands and PCI Security Council know credit cards are not going to be 100% secure no matter what they do, however continually putting the security standards in front of businesses helps to teach people how to best secure card data. Having worked on many of our own SAQs we know how frustrating it can be, however it is important. Start it early and do a little bit each day comparing the questions to your business and be prepared to make changes to operations to better protect yourself and your customers.

Vulnerability Scans:

As I said before, the card brands know they can’t make sure every transaction is handled securely, but vulnerability scans are a good way to at least alert a business to a known issue with their network. While this additional step is not required for every business, it’s an important step to securing many businesses. For small businesses that don’t have a team of IT people, this might be the only amount of system security verification that occurs. Most small businesses are connected to the Internet, and many of those are using household grade network appliances that are using out of the box configurations and don’t get normal security updates. According to Verizon’s figures in the 2015 Data Breach Investigations Report, 99.9% of exploited system vulnerabilities were compromised more than a year after they were published. What that means is most, if not all, of those breaches could have been prevented just by doing regular security updates. A vulnerability scan should catch most of those vulnerabilities and alert the business owner of the potential risks. Keep in mind the vulnerability scan from the PCI security vendor is only going to be able to scan the side of your network that touches the Internet. It is not able to test your internal computer systems so it’s good practice to make sure those are updated and properly maintained as well.

PCI Costs:

PCI fees vary from processor to processor but it’s pretty standard to be charged $90 to $150 per year for PCI Services. Some processors will charge this as an annual fee and some will charge it on a monthly basis. In addition to this service fee you may also see PCI non-compliance fees which normally run about $20 per month. The non-compliance fee is easily removed from your account by proving that you meet the PCI requirements. If you are using your processor’s PCI compliance service, the fee is usually automatically removed once you are shown to be in compliance. If you are using a third party you will be required to send them proof of compliance, normally in the form of a certificate which is obtained from your PCI vendor.

I suggest staying away from processor provided PCI insurance, unless it’s included at no additional cost. Hypothetically it’s “insurance” that covers your costs if you do have a breach, in reality it may or may not help. If you have some sort of fee for PCI insurance it would be a good idea to contact your processor and ask for the policy details, and maybe even how to remove the fee altogether as you may be paying for something that would not help at all. I am sure some processors have legitimate insurance they are providing, however you need to know what is covered and in what circumstances those things are covered. It’s likely there are many scenarios where the processors one size fits all insurance isn’t giving your business any real coverage.

Breach Costs:

If you are unfortunate enough to experience a data breach, the costs of both time and money add up very quickly. The PCI DSS requires that if a merchant even believes they have been breached they are to have a third party conduct a forensic examination to determine if a breach has occurred. This can last weeks or months, and during this time they require your point of sale be shut down. It’s estimated that a small business examination costs between $20,000 and $50,000.

Then there are those potential fines which start at $5,000 and can exceed $50,000. It’s true that many small businesses are not assessed a fine for their first breach, however the ongoing PCI requirements for those merchants become much greater and fines can and have been assessed to those businesses that failed to become and maintain compliance.

Other Potential Beach Costs:

Notification of Customers: This cost can vary; however, it’s going to require you to send letters to anyone who did business with you around the time of the breach. You’re going to have to be sending multiple communications so you’re probably looking at a cost of at least $2.50 per customer.

Card Replacement Costs: You could be required to pay back the card issuers for having to reissue new credit cards to their customers. These fees can range from $3 to $10 per card.

Credit Monitoring: You may be required to provide each customer affected by your data breach with credit monitoring services for a year.

Liability for fraud charges: Your business may be held liability for any fraudulent charges on any card associated with your breach. For large breaches, the liability in this situation is practically unlimited.

Non-Monetary Costs: Your business may be required to contact past customers and explain that you breached their credit card data. You may end up with a spot on the evening news. These things add up to much more than just lost sales and time. It also puts you at risk of not being able to accept card payments any more as the card association may choose to no longer allow you to accept their cards

Conclusion:

The costs to be PCI compliant are negligible compare to the costs of even a potential breach. Becoming PCI complaint helps you better protect yourself and your customers, and if there ever is a breach, your penalties are likely to be significantly less than had you not been compliant. The next time you see that your PCI compliance certification is due, look at it as a way to secure your business and customers against fraud.