Processors use PCI non-compliance fees as an expensive monthly reminder to prompt businesses to become PCI compliant.
Note that Visa and Mastercard do not impose fees on businesses that are PCI non-compliant – that decision comes solely from your processor, making a PCI non compliance fee a pure profit charge for processors. Processors are not required to charge you a non-compliance fee.
Let’s take a closer look at PCI non-compliance fees and how you can avoid them.
- What is PCI?
- What is a PCI non-compliance fee?
- Processors Set Fees Individually
- How to Get Rid of PCI Non-Compliance Fees
What is PCI?
PCI stands for “payment card industry” and it’s the first half of the acronym PCI-DSS. (The second part stands for “data security standards.”) While you may see the full term PCI-DSS, it’s more common to see just “PCI.” However, it refers to the same set of standards.
PCI-DSS is a set of rules regarding secure credit card acceptance. Any business that takes credit cards is required to be PCI compliant. In addition to taking steps to secure your systems, you’ll need to fill out a yearly Self-Assessment Questionnaire (SAQ) as part of the compliance process.
What is a PCI non compliance fee?
Some processors choose to charge a PCI non-compliance fee when a business fails to provide proof that it complies with PCI-DSS requirements. Sales people in the industry sometimes justify the fee as a penalty charged by Visa and MasterCard that is simply being passed along, which is not necessarily true. Visa and Mastercard do not charge businesses or processors a fee for PCI non-compliance. However, the cards brands may impose compliance fines if non-compliance leads to a security issue or breach. In the most generous light, processors could claim that they’re insuring themselves against such a compliance fine if your business experiences a data breach that results in fines.
The card brands’ fines are often large, one-time charges imposed after a security-related issue occurs. PCI non-compliance fees, on the other hand, are relatively small monthly or annual fees imposed directly by processors. Since Visa and Mastercard don’t charge non-compliance fees, the revenue generated from these fees goes straight into processors’ pockets.
Non-Compliance Fees vs. Compliance Fees
Most processors charge PCI non-compliance fees, but some also charge compliance fees. PCI compliance fees are often smaller than non-compliance fees, and cover the costs for the processor to assist you with PCI compliance or provide tools that make it easier to become compliant.
Both PCI compliance and non-compliance fees are commonly a monthly charge, though they can be yearly charges. However, processors typically only charge non compliance fees in the months that you aren’t PCI compliant. That means that you can avoid non-compliance charges completely by maintaining PCI compliance. Additionally, if you’re not compliant, it means that you can become compliant to stop future non-compliance charges.
On the other hand, processors will usually charge PCI compliance fees regardless of your status.
Identifying the Fee
Non-compliance fees are typically listed on your monthly statement and clearly labeled. In the image below, we’ve compiled snippets from multiple statements showing how the fee may be listed.
As you can see, different processors refer to the fee by different names, including PCI non-validation, non receipt of PCI validation, and non-PCI chg (charge.) Despite the variation in terms, all of them refer to the same fee: PCI non-compliance charge because you’re considered non-compliant.
Processors Set Fees Individually
It’s the responsibility of individual processors to validate compliance, so each processor chooses whether to charge a PCI non-compliance fee, and if so, how much the fee is. PCI non-compliance fees typically range from $10 to $30 a month, but can go as high as $100 a month for processors interested in leveraging the fee for excessive profits.
How to Get Rid of PCI Non-Compliance Fees
The legitimate purpose of the PCI non-compliance fee is to encourage businesses to become compliant. If you see a non-compliance fee on your credit card processing statement, call your processor and inquire about having it removed. You’ll likely have to become compliant before they will stop charging the non-compliance fee.
Fortunately, PCI compliance is often not as painful as it sounds. In the case of retail businesses that swipe the majority of transactions, compliance can be as simple as completing a self-assessment questionnaire. In the case of e-commerce businesses, compliance entails a questionnaire and quarterly network scans. The latter is a little more involved, but neither justify paying a PCI non-compliance fee that can be hundreds or even thousands of dollars a year.
If you’re new to PCI compliance, be sure to check out our article on how to become PCI compliant. You can also contact your processor for assistance.
Oftentimes these non-compliance charges exist to help the processor cover the cost of managing non-compliant merchants. There is a significant overhead to the acquirer/processor in terms of reporting levels of compliance. This isn’t pure profit, but acts as both an incentive to get the merchant to submit the correct information so the processor or acquirer can get a better understanding of the risk. Some processors even use this revenue as a buffer for merchants that get breached, so that they can help soften any fraud losses.
Like Andrew said, the non-compliance fees are charged to help the processor cover the cost of managing non-compliant merchants and to also serve to cover the costs when the merchants get breached. Charging $10-$100 per month is relatively cheap for the level of risk the processor is facing.
PCI Non compliance fees are another form of corporate crime. It’s a scam. It’s just another way to cheat the merchant who’s just trying to run a small business. The fees are well hidden in the monthly processing statement to fool the merchant for as long as they can. I use Helcim and they did a great job hiding these fees on me for almost 2 years until I had a month of no sales and discovered the high costs of doing business.
The only scam is expecting a free lunch. Protecting consumers’ information is a cost of doing business, but most businesses don’t calculate the costs before taking the leap. Businesses want the benefit of using the Visa/MC/Amex/Disc systems without taking the fundamental precautions that go along with the deal. It’s like an airline that selectively decides that airplane maintenance is optional, then figures out the hard way that the maintenance has positive benefits. The US Fed gov needs to fix all this by assessing mandatory punitive damages against organizations that fail to extend common courtesy to protect citizens’ private information.