All You Should Know About the PCI Non-Compliance Fee

December 23, 2021/ Posted in Merchant Essentials

If you are interested in merchant services, you might be curious about the PCI non-compliance fee. This is one of the fees that raises a lot of questions among business owners – what is it for and what does being compliant mean? What services do providers offer in exchange and is there a way to avoid paying for it? You’ll find these and many other answers in this article, so keep on reading.

What Is PCI Compliance?

In order to understand this term better, we’ll start with the basics. It actually refers to agreement with data security standards that are set out in the Payment Card Industry Data Security Standard. These standards are here for a reason – they ensure that customers’ credit card data is handled with care, and they can provide security to minimize any chance of data breach. Different card associations require that businesses follow PCI DSS standards, such as Visa, Mastercard, etc. Still, the enforcement of these rules is left to individual processors.

Stay informed about these payments and rules

How to Become PCI Compliant?

Depending on the type of business, requirements for becoming compliant are various and can be very complex. For example, if you’re in the retail-only business and don’t rely on a payment gateway, you’ll have to meet only a few requirements, but in case that you have an eCommerce business that processes all sales via a payment gateway, you’ll have far more extensive requirements. However, merchant service providers don’t always take these distinctions into account when setting PCI compliance fees. They prefer to charge all merchants the same costs regardless of standards followed.

Businesses Are Divided Into Four Levels of Risk

Credit card associations divide all companies into four levels of risk – this distinction is based on how many transactions they process annually. If you want to know which level of risk your business belongs to, you should determine your obligations for compliance. In general, the majority of small businesses fall under the fourth level of risk. This level includes merchants processing less than 20,000 e-commerce transitions annually. The third level, for example, includes merchants that process up to 1 million transactions annually. However, different cards networks have different criteria for these levels.

You Should Update the SAQ Annually

Your provider will handle many actions, but you’ll also have to perform some steps yourself if you want to apply for a merchant account and even after setting up a merchant account. One of the most important steps you’ll have to take is completing the Self Assessment Questionnaire (SAQ). This questionnaire should be updated annually, and failure to keep it updated is one of the most common mistakes merchants make and why they are charged a non-compliance fee.

Different SAQ Forms Are Available for Different Types of Businesses

The PCI Security Standards Council publishes a few different forms of the SAQ for various kinds of businesses. Each of these forms is described on the PCI SSC website. There, you can also find documents needed for filling out the SAQ form.

You should complete the SAQ in order to remain compliant

All About the Compliance Fees Charged by Credit Card Processors

These fees are charged by credit card processors. There are two types – compliance and non-compliance fees. One or both of these costs might appear in your merchant statements – this is why it is important that you understand what they are and why you’re required to pay them. In theory, these costs compensate for any merchant services your provider offers to help your merchant account become and stay in accordance with applicable PCI standards. Although eCommerce businesses have more requirements than most other businesses, as we already mentioned, both online and offline businesses will have to pay the same monthly or annual payments if their provider charges them.

These Fees Are a Relatively New Feature in the Industry

This first set of standards was published back in 2004 when it became clear that businesses need to take extra steps to protect their customers’ sensitive credit card information. Obviously, these additional requirements and work led to additional payments, and merchant service providers started to pass these costs on to their clients.

Common Misconceptions

One of the common misconceptions related to these costs is that paying them means that your provider will ensure your account is fully compliant without you having to do anything, but this isn’t possible. These services might take care of the more technical aspects of following the guidelines at a minimum, but it is your obligation to complete fill out the SAQ regularly and keep it updated.

Options Offered by Providers Usually Fall Into Three Categories

Options offered by providers in most cases fall into these categories:

  • Security Scans – This is one of the most basic options your provider can offer you, and it is usually always included in the statement. The security scanning process checks all aspects of your processing system. This includes the website, payment gateway, server, and all the connected terminals or POS systems for malware, Trojans, and viruses, or other security threats. These scans can be conducted quarterly, but some providers will scan your system every month.
  • Data Breach Insurance – In case that your data is hacked or stolen, this is the insurance that will reimburse you for your losses. However, this insurance is subject to policy limits – there is no guarantee that the insurer will accept your claim in case you suffer a breach. You have to review your insurance policy and determine what specific accidents it covers. The possibility of a denied claim can make this insurance seem like a waste of money, but not having any kind of insurance is certainly a worse option. This kind of insurance is essential for eCommerce merchants, and one of the highest-rated providers is CDGcommerce, offering $100,000 as a part of an optional cdg360 security package. Considering the fact you should pay only $15 a month for this, it seems like a good investment.
  • Customer Education & Assistance – Some providers offer a so-called in-depth knowledge base in order to educate you about the requirements and proactive assistance. Your provider will contact you immediately in case that they detect any kind of suspicious activity that might threaten your account safety. Some providers will offer minimal service in this area and still charge you a full price. You should also keep an eye on providers that just offer minimal FAQs or that are quick to start charging anything without notifying you that your account is non-compliant.
Ensure to update your information regularly

Pricing for PCI Compliance – How Much It Costs?

When it comes to pricing, you can find many variations because providers are free to charge for this any way they choose. Depending on the company and “industry standard” development over the years, most of these expenses are included in a single annual payment of around $100, but as a response to recent inflation and additional requirements, it is now closer to $120 per year. So, what is the problem with paying the single annual price, you might wonder?

Most providers won’t give you a prorated refund in case you close your account before the service expiration date. As a response to this, many users complained, so some providers now charge monthly – typically around $8 to $10 per month or more. In other words, you’ll be charged either a higher monthly account fee, or higher processing rates, which will include the cost of following these guidelines.

You can risk making additional payments if you don't update your information

PCI Non-Compliance Fees Are Another Important Category

What is a PCI non-compliance fee? This is a fine or penalty for failing to keep your account up to security standards. The most common reason leading to this is not updating your SAQ – as we already mentioned, this is an important questionnaire where you update all of your information. If you fail to do this, additional fees will be added to your monthly statement.

The problem with this fee is that your company won’t get any services for this, so it is considered a junk fee that you definitely can avoid paying – if you’re aware of it. The biggest issue is that, in most cases, this fee is added to your payment without you being aware of it. Depending on the provider, it can amount to an average of $20-$30 per month. If you’re lucky, your provider will notify you in advance and give you the opportunity to update your information without making you pay, but in most cases, you won’t be notified. This is the reason you should review your account statement carefully every month and avoid unnecessary payments.

You Can Be Charged the PCI Compliance and Non-Compliance Fee at Once

No matter how absurd this might seem at first, your providers might charge you both of these costs at once. You’ll pay for both of these costs simultaneously as long as you don’t fix the problem. This can be easily avoided if you keep your account complaint – just review your requirements carefully and regularly and make sure you’re meeting all requirements so you won’t be charged for these.

You can be charged multiple costs at once without even being notified about it

How Are Non-Compliance Fees Charged for Merchant Service Users?

These payments are handled differently because you’re only charged once your account becomes non-compliant. Until you get your account back in order, almost all providers will charge you $20-$30 a month. They could also shut down your account, but this rarely happens. This can be a very unfortunate scenario for small business owners who pay additional taxes because they rarely have enough time to review their processing statements every month. In other words, they might not notice that they’re being charged these fees for months.

No matter how you’re being charged, these costs should be disclosed in your documents, so ensure to review them before signing up for an account if you want to avoid any unpleasant surprises.