Payment processing fees are inevitable. You can negotiate with your processor to get them reduced, or you can shop around to find the best price, but no business that accepts credit cards will ever be able to do it for free.
There are some fees, however, that no business owner should have to pay. PCI non-compliance fees fall under this category. If you accept card payments, there’s a high likelihood that your processor is charging you this fee. If you see it on your statement each month, it’s time to take action to remove it.
The process is actually much simpler than you might think. Most merchants are already PCI compliant by the nature of the hardware and software they use, but without proof of PCI compliance, your processor is free to charge whatever they like to penalize you for being non-compliant. Most processors will charge around $20 per merchant ID per month, which can add up to be a sizeable amount of money, especially if your business has multiple locations.
MyPCI.com is not only a great resource for becoming PCI DSS certified, but also does a great job of educating merchants about what is needed to become PCI compliant. If you've got a merchant account, you have a MyPCI account, even if you don't know it. When you go to log in, your email address will be [your merchant ID number]@mypci.com. For example, if your merchant account ID number were 1112345678910, your login ID would be email@example.com. Once entering that info, you should receive an email with a password that will enable you to login to MyPCI and get started.
Once you've accessed your account, it's time to get started on a self-assessment questionnaire. This survey allows you to make a record of your payments systems, including what hardware, gateway, POS, and processor you use. This information is all collected to ensure that each piece of your payments process is secure from start to finish. The assessment should take less than an hour but can cost between $50 and $200 depending on the number of terminals your business is running on.
If there's something amiss with your payments set up, the SAQ should point them out to you. Resolving these issues could be as simple as moving a piece of equipment to a more secure location, or it could require something as major as a change in processor or gateway if your current solution is not sufficiently secure. Once these adjustments have been made and your business is totally compliant, you will be supplied with a PCI DSS compliance certificate. Congratulations!
Your final step is to pass the certificate on to your processor. Some processors have specific channels to submit these requests, but most will accept the certification if you just pass it on to your sales or support representative. Be sure to request confirmation of receipt and removal of the fee. Of course, keep an eye on future statements as well to be sure that the PCI compliance fee has been removed completely.
One important note to keep in mind: the PCI DSS requires that an SAQ be completed annually to certify that businesses remain compliant. Just because you've submitted a compliance certificate, don't assume that you'll never see a PCI non-compliance fee ever again. It's likely that you'll see the fee back on your statement a year later when the certification expires. Be sure to re-certify your business on an annual basis to ensure that you aren't charged.
For businesses owners, a PCI non-compliance fee can seem like a minor inconvenience, but these fees really add up over time. Considering how simple they are to remove, no business owner should settle for paying these fees each month. Following the steps outlined in this article can ensure that business owners aren't paying unnecessary fees while also protecting both their business and their customers under the PCI DSS umbrella.