Just as professional athletes or motorists pay fines when they break certain rules, the same applies to companies doing business online. But the rules governing these companies’ behavior goes beyond “unsportsmanlike conduct” or “following the speed limit.” When they collect and process payment information for debit and credit cards, they must adhere to a number of rules in the process. If they break those rules, then they’re on the line to pay a penalty for it.
If it’s expensive to ignore the rules, why are an increased number of companies doing so? Verizon’s 2018 Payment Security Report reveals a drop in PCI compliance, which are the standards that companies have to stick to in order to process payment information online. Where 55.4 percent of companies were compliant in 2017, that number shrank to 52.5 percent in 2018. Chalk it up to lack of awareness or other shortcomings, but companies leave themselves and their customers exposed to bad actors when they shun this kind of compliance.
Beyond merely leaving themselves and their customers vulnerable to data breaches and cyberattacks, this decreased regard for the best practices pertaining to collecting payment card data and other personally identifiable information leaves these companies on the hook for noncompliance fees. It might not be as exciting or interesting as a professional athlete paying his or her commission for uttering an expletive during a game, but it can still be just as expensive.
What is a noncompliance fee?
In short, it’s the money charged by payment processing account providers when your business fails to prove it’s playing by the rules of the Payment Card Industry Data Security Standards Council. This organization was created by the major US credit card networks outside the bounds of conventional government in order to implement strong data security policies within the industry. It exists to update these standards as needed and ensure that all applicable companies adhere to them. In instances where a company is found to be playing out of bounds, fees enter the picture in order to motivate it towards compliance.
Noncompliance fees are distinctly punitive, charged as a mechanism to incentivize merchants to pursue PCI compliance. Range from $5,000 to $500,000 (depending on the circumstances), they have no necessary relationship to other costs that may be incurred. So how do you avoid them?
Complete a self-assessment questionnaire (SAQ) every year
Your self-assessment is a strong first step to take because it indicates you’re invested in taking ownership of your compliance process. SAQs are available on the PCI Security Standards Council website, and different questionnaires will apply to different businesses. In any case, each one is a series of yes-or-no questions designed to determine how closely your business meets PCI Data Security Standard requirements. Go through them yourself in order to see where you stand, then have a qualified security assessor review your work so that he or she can confirm your findings. Once that’s done, be sure to retain this paperwork so that it’s on hand for appropriate parties who ask to see it.
Pass an annual vulnerability scan with a PCI SSC-approved scanning vendor (ASV)
An ASV is a company you engage in order to audit your PCI compliance. These companies are certified by the Payment Card Industry Security Standards Council to confirm and implement these kinds of security requirements, and they’ll give you give you a certification that proves your compliance to customers and any inquiring banks.
It will almost always be necessary to work with an ASV because they are one of the few groups authorized to give these certificates of compliance. Why work with anyone else on this niche topic? Work with the certified experts!
Use the proper equipment and payment gateways
In simplest terms, make sure you’re using the right tools for the job. Don’t use outdated hardware or infrastructure that could be easily compromised (and might not even be compliant in the first place). You should maintain updated, secure systems and applications for everything that touches payment processing and customer information. If you’re not already using modern EMV terminals (Europay-Mastercard-Visa), then you might consider doing so — these are something of a standard nowadays.
Using a PCI-compliant payment gateway can also save you headaches here. A payment gateway is merely a merchant service by an e-commerce provider that authorizes credit card or direct payments, but not all are created equally. If this gateway is already PCI-compliant, then you’re ahead of the game.
What should I do if I’m already paying noncompliance fees?
The most important thing is to contact your merchant account provider to identify the specific issue that’s causing the fees. They’ll be able to inform you on what you need to do in order to validate your PCI compliance. Then simply take enact those steps in order to update your compliance status. If you feel you weren’t properly notified about noncompliance fees, you can always request a refund.
But in some circumstances, noncompliance fees are unavoidable. In cases of a data breach, for example, businesses are not only required to pay a fine, but they’re accountable far beyond that. They must also cover the costs associated with notifying customers of the breach, reissuing their cards, and monitoring the credit for all people and businesses affected by the breach. They’re also accountable for the cost of any forensic investigation, as well as any remediation deemed necessary afterward. Just imagine the public relations headache that all this fuss can cause.
At the end of all that, banks and card processors will end up charging noncompliant businesses higher rates, and credit card companies may end up denying their ability to accept credit cards. It’s clear that noncompliance fees have costs that transcend the financial, so it’s always in your interest to maintain compliance.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.