Have you ever looked at your statement and wondered what some of the fees are? Specifically, what is PCI Non-Compliance?
PCI Non-Compliance is a fee that merchant providers charge their merchants if their merchant is not up-to-date on their PCI SAQ’s and or PCI scans.
Because merchants ask me this so often, I am going to go into the details about what is PCI non-compliance, why it is there, and what you can do to remove it.
Before I go too far into detail, if you are a local business searching the internet for “what is PCI Non-Compliance”, please leave a comment below. Write ”Yes“ if you are and “No” if you are not. You can write more, of course, we would love to see it. I want to use these results for a future guide.
What is PCI Non-Compliance?
As stated above: PCI Non-Compliance is a fee that merchant providers charge their merchants if their merchant is not up-to-date on their PCI SAQ’s and or PCI scans. We have seen these PCI Non-Compliance fees range from $7.00 per month up to $125 per month.
However, in order to understand what is PCI Non-Compliance and why you would get that fee, I should explain what PCI Compliance is in the first place.
PCI, stands for Payment Card Industry. When we talk about PCI, we are most often referring to the PCI Data Security Standard. This is also referred to as PCI DSS.
You can read all about PCI DSS on the PCI Security Standards website.
If a business accepts a credit card in the United States, they must comply with the PCI Security Standards at all times.
Merchant processors often require their merchants to go through a PCI assessment each year. This assessment consists of a self-assessed questionnaire (SAQ). There are many different types of SAQ’s but they have to follow the set standards and be administered by an authorized PCI assessor.
We will go into more detail at a later time on how to pick which SAQ if you want the quickest route.
There is another aspect of PCI, it is PCI Scans. PCI scanning is the process of having your network scanned for vulnerabilities that could lead to a PCI data breach. If your processor flags you as needing PCI scans, then you will have to scan your network quarterly.
In summary, if you do not pass your SAQ every year, or your PCI scans (if required), you can expect a PCI non-compliance fee.
Why do we have PCI requirements?
From my understanding, and I am not an expert, we have PCI Compliance for protection. Protection for our merchants, their cardholders, and us as the agent or processor.
The way I explain PCI is that it was created because we’re tired of our data getting out. Getting out because merchants being careless or irresponsible. If you go through a PCI compliance program, you’ll be able to protect yourself and your customers.
As a result, if a merchant is not willing to take the time to answer the SAQ and do the scan, they are more likely to have a data breach. Therefore, as an incentive, merchant providers charge you a PCI Non-Compliance fee.
Do not make the mistake to think that this fee is mandated by the PCI DSS council or the card brands. It is not mandated and goes into the pocket on your processor. With that being said, I do not believe this means it is unwarranted. It is my opinion that if this fee incentives you to protect your customers, then so be it.
How do you remove PCI Non-Compliance
Removing PCI Non-Compliance fees from your statement takes 3 major steps:
- Complete your PCI self assessed questionnaire. A SAQ can be as little as 8 questions and go into the multi-hundreds of questions. Take a look at this link and pick which SAQ you fall into. If you do not know where to go to complete your SAQ, call your merchant processor. They are usually teamed up with an authorized PCI SAQ assessor. This is usually at no additional charge. Please know you probably already paid for this in your PCI annual fee.
- The next step is to do your PCI scan. This is almost always provided by the same assessor who gave you the SAQ. Take what you learn from your PCI results and fix any holes that you can.
- The final step should not be necessary, but is a good practice. It is to call your processor and let them know that you have fully passed. They should be able to see this automatically, but if you want to be sure that the fee is removed, place the call.
It never hurts to ask your processor for a refund on a few months of fees. They won’t refund the entire time, but a few months is reasonable if they think there is a potential of losing the account.
Do not use threats to get rid of PCI. A processor who enforces PCI will never back down and remove PCI or the requirements. It is not going to happen and they will let go of the account if they need to. This is because if they remove it fo you they have to for others. And let’s be honest, it is quite the revenue-generating item for them.
If you have to ask yourself what is PCI Non-Compliant for too long, there is a potential of having your merchant account canceled or being placed on the MATCH list. There is just too much risk for a processor to continue servicing an account that cannot, or will not become PCI compliant. Although it is extremely rare, it can happen.
Other PCI Tips & Advice
- You can often do a much shorter PCI SAQ if you are using a P2PE validated solution. Call your processor and ask them if you are using a P2PE validated solution and if you would qualify for SAQ A or P2P-HW. Both of these SAQ’s are short and if my sources are correct, you will not have to do the PCI after a short period of time.
- When doing your SAQ, you often alerted right away if what you are doing is incorrect. Use this as a method of education. Write down what you learned, go back and correct the process and update your SAQ.
- SAQ’s can read very confusing, even for us. Often they remind me of 1980 stereo instructions, they are not clear. Try to step back and understand what they are trying to get to. Are they trying to see if you store data? If you do not store data, just click no.
- If you are still getting the SAQ wrong, you can hit the back button. There is no limit or penalty for this as long as you are being honest.
- If you already did your PCI compliance with another company, that is ok. You can often reuse that PCI certification with your current vendor. Best of all, they will often change your PCI date to match your certification. As long as your vendor is an approved assessor of the PCI DSS, you should be golden.
- If you are having trouble with your scans, try removing some of the equipment that talks to the outside world. Do this one by one so you can identify the culprit who is leaving ports open.
- You would be shocked how often your PCI scan failure is due to your camera system. If this is the culprit and it is not easily fixed, you can often put them on their own separate network.
There you have it. Next time you look at your statement and ask yourself “what is PCI Non-Compliance”, you will know. It is also not the end of the world. Following the steps above can easily remove that fee from your account.
Do not be afraid to ask your processor for help. The fact is, if they are charging for it, they often provide access to PCI services who do the scans. You can reach out to those companies and ask for guidance. If that fails, you can always reach out to us, here.
Did I leave anything out? Do you have any questions? Leave your questions or comments below. I try to engage with each one and I am here to help.
Thank you so much!