The Payment Card Industry, or PCI, has a number of ways in which it accounts for the costs of preventing fraud. Any organization that accepts payment via cards (credit, debit, etc.) must adhere to the Payment Card Industry Data Security Standard (PCI DSS). In order to stay in compliance and cover costs, payment processors employ a number of different fees, penalties, and fines that vary in frequency and size.
For some, PCI non-compliance fees can be factored into the cost of doing business. However, many organizations prioritize PCI compliance, so they don’t end up with unnecessary penalties cutting into their bottom line.
More and more organizations looking to eliminate these costly fees are turning to PCI compliant web hosting as a solution to bolster their security, speed, and efficiency. In this guide, we’ll examine what PCI compliance fees are, why they matter, and how they can be kept to a minimum.
What are PCI Non-Compliance Fees?
PCI non-compliance fees are charges issued by payment processors to companies who use their services but have not proven PCI compliance. Often monthly charges, these fees protect the processor from covering potential fraud, and they serve as an incentive to prioritize PCI compliance.
Companies wondering how to avoid PCI compliance fees should first check to see which of the PCI compliance levels they fall under. Compliance levels are determined by an organization’s annual transaction volume. Depending on your company’s level, you will have a different set of requirements in order to achieve PCI compliance.
Regardless of the size of your enterprise, PCI compliance markers are required on both an annual and quarterly basis. From the banks and payment processors to the business owners and consumers, there are several different parties involved in the process of PCI compliance. Overall, best practices from each invested party play a role in reducing fraud and safeguarding sensitive payment information.
Types of PCI Non-Compliance Fees
To this point, we’ve discussed the costs of reducing fraud in somewhat general terms. Now let’s get really specific with our language. The different types of PCI fees fall under the same umbrella of fraud prevention, but each type does serve a specific purpose.
Three of the most common types of charges you may see issued by a payment processor are PCI non-compliance fees, PCI compliance fees, and PCI compliance fines. While some of these charges can be avoided more easily than others, you’ll want to be familiar with how each type works.
PCI Non-Compliance Fees
PCI non-compliance fees are charged when a company has not provided their payment processor with the required information to prove PCI compliance. In other words, the company’s practices are currently deemed “non-compliant.” These charges typically show up on your monthly statement and reflect your last quarterly network scan.
As a part of the PCI compliance checklist, quarterly network scans are performed to audit the networks that are supporting your payment transactions. If your network is found to be compromised, or if you fail to submit to these quarterly scans, you will not be in compliance with PCI DSS.
In addition to quarterly network scans, organizations must also submit annual self-assessment questionnaires and attestations of compliance. These are two more requirements that could trigger PCI non-compliance fees if not completed.
PCI Compliance Fees
While PCI non-compliance can cause you to incur fees, there are also PCI compliance fees that may be charged. PCI compliance fees are often maligned as just another bogus processing fee, but this isn’t always the case.
PCI compliance fees are meant to account for tools and ongoing support that processors are providing in an effort to help companies remain compliant. This support includes preventative network scanning and tutorials for properly completing self-assessments.
In addition to providing support, many processors are responsible for portions of the validation process that determine PCI compliance. It doesn’t all just fall to the PCI Security Standards Council. Documentation and data are reported by the processor to the PCI SSC in order to ensure your company is validated as being in compliance. Often processors will point to these efforts as an additional justification for PCI compliance fees.
It should be noted that not all processors charge PCI compliance fees, and those that do tend to make them much smaller than PCI non-compliance fees.
PCI Compliance Fines
Whereas compliance and non-compliance fees are usually small, monthly charges, PCI compliance fines tend to be larger, one-time charges. Fines are incurred when a security breach is traced back to your network. If that breach is found to be the result of a compliance violation, your organization might be on the hook for a costly fine.
Fines are a little more predictable than fees. While some processors won’t charge fees or will build them into their pricing, fines are much more absolute. If you are found to be at fault in a PCI non-compliance security issue, you will most likely always get fined.
In this sense, PCI violations in eCommerce are similar to HIPAA violations and fines in healthcare. Just as IT professionals in the healthcare industry prefer to employ HIPAA compliant web hosting, eCommerce business owners should also be prioritizing PCI compliant hosting to avoid these hefty fines.
Why Do Processors Charge PCI Compliance Fees?
Processors charge fees for a few reasons that can range from profit to insurance. While many of the criticisms of bloated fee structures from processors may be valid, many fees have a purpose and directly cover the cost of doing business.
Processing payment cards requires assuming immense risks. While each party—consumer, business, processor, and bank—plays a part in a transaction, it’s ultimately the processor that is left holding the bag if fraudulent activity occurs.
Thus, PCI non-compliance fees and fines serve to mitigate the risk of processing payments.
How are PCI Compliance Fees Calculated?
PCI compliance fees are set individually by each payment processor. There are no regulations in place saying processors must not charge this or that, so compliance fees are entirely up to each processing company. In turn, you will see many different amounts and structures for compliance fees.
Most PCI compliance fees will be in the $10-$40 range. But again, some processors don’t charge them at all while others can have fees as high as $100. Oftentimes, you will see processors attempt to incorporate their fee structure into their brand’s marketing. Popular slogans like “additional services, no fees” may hint at a processor’s approach to PCI non-compliance charges.
Of course, compliance fees are not the only charges you’ll see on your monthly statement from your processor. Much of their profit is made from percentage-based transaction fees. Set by each major credit card company, these transaction fees are often passed on by the processor in order to cover the cost. Transaction fees tend to vary between 1% and 3% of each payment processed.
How to Avoid PCI Non-Compliance Fees
First and foremost, the easiest way to avoid unnecessary PCI fees and fines is to remain in compliance with PCI DSS. This can be achieved by staying up-to-date with your self-assessments, performing proactive in-house audits, and prioritizing PCI compliant web hosting.
Fully compliant web hosting from Liquid Web is flexible, reliable, and fast. No matter what industry you’re in, our single-server, cloud-based, and hybrid solutions can help you achieve your PCI goals.
Still, you may be subject to monthly fees and charges from your payment processing company, which is why it’s important to always review each processor's fee structure before deciding on your payment processing partner. If a processor has promised no fees and you find out otherwise down the road, consider making the change that’s best for your business.
Get PCI Compliant Web Hosting at Liquid Web
Handle and process customer data securely. Find out more about PCI Compliant Hosting with Liquid Web.
David Gibb is the Financial Controller at Liquid Web. He has over 20 years of experience working in Finance. He is a CPA in Canada, CGMA in the United Kingdom, and a CPA in Australia.
Keep up to date with the latest Hosting news.