{{PLUGIN:"title_tag"}}What does a merchant get for a PCI fee?

What does a merchant get for a PCI fee?

By Ken Musante The Green Sheet 6/14/2010

I've been confused about what a merchant gets with a PCI fee. What is the fee designed to do? Enable a merchant to ignore the Payment Card Industry (PCI) Data Security Standard (DSS)? Insure the merchant against PCI fines? Pay for the processor to become PCI compliant? Pay for the merchant to become PCI compliant?

The monthly PCI fee has become increasingly common and that it seems to range between $5 and $15. And I asked Forum members the following questions:

Is this PCI fee really as common as I am indicating? It seems that most acquirers are now charging it, and this fee has replaced some of the margin compression from lower rates.
Is my assessment on the range accurate, or are you all seeing numerous instances outside of the $5 to $15 per month range?
It's unclear to me what this fee covers. For example, some acquirers include insurance with the monthly fee in case a breach should occur. Other acquirers state the fee allows the acquirer to be PCI compliant. What does it really include and exclude?
Is the logical conclusion that this is just another fee? It seems, over time, we acquirers will get smart enough (I'm optimistic) that we will be deploying products that are inherently secure. Upon doing so, I don't see this fee going away. Do you agree?
If there is a breach at a third party (gateway, for example) used by many merchants within a portfolio, and the insurance company does not pay (for whatever reason), is the acquirer ultimately liable because it was the one charging the fee?

A call for education

"We, as an industry, are all too worried about what might happen at the switch, or at our host, so a fee gets charged to cover that expense ... and, oh, maybe get info from the merchants.

"PCI is just a buzzword now. Truth is we should be educating our merchant base, over and over, about data security. It should become a mantra for all of us.

"A merchant is only secure the minute they complete the questionnaire and abide by the needs or instructions. They can do what they want and afterward be out of compliance.

"So, let's be real. The cost charged the merchant isn't for their compliance; it's for the host's compliance cost coverage. That's OK, if it's disclosed as such.

"Lastly, the argument about insurance, I am sure, is going to arise. When it does, consider who the insured is and if the true cost is disclosed. In most cases, the insurance plans I have seen have a markup, which, if I am not mistaken, is called profit. Again, not a problem, if everyone understands it."

Questionable fees

What about those charging a 'noncompliance fee'? Does that means that the [merchant] customer is not PCI compliant, and instead of being [brought] to compliance or shut down they get a free pass as long as they pay $xx.xx/month? Sounds like a cop giving out tickets to drunk drivers instead of taking them in.

Without doubt, there are costs involved for ISOs to become PCI compliant themselves, but they are recovering their own costs by charging ridiculous fees to their merchants. The processors are PCI compliant, too, but none of them passed on their fees. So where is the logic in charging the PCI compliance fees to their merchants?

Even if the card networks were not pushing us all toward PCI compliance, state law would, as nearly all the states have enacted their own breach laws, which all have penalties. Additionally, he provided a strong argument in favor of the PCI fee.

But if a merchant couldn't afford to pay the fines assessed by the card associations and/or any litigations from issuers (including the cost of reissuance), it would be the responsibility of the service provider, and in that case, I can understand the need to charge each merchant on the books a fee for PCI compliance," he wrote.

"The collected fee then becomes a reserve 'in case of catastrophic loss' derived from a merchant. I believe that in this equation the common denominator is the fear of loss versus actual loss."

The discussion continues

1. Yes, PCI fees are about as common today as the daily conversations about the topic. When dealing with a retail merchant, a lot of them just don't understand it.

Most retailers think that PCI DSS (although important) only has to do with e-commerce, Internet and MO/TO merchants all in the CNP [card not present] world.

Now when you are talking to a large Internet retailer or MO/TO merchant processing thousands of transactions per month, they usually have someone at their company assigned to security, so it makes the job a lot easier.

2. This is a security issue, and merchants must pay this fee. And if you are PCI DSS certified and there is a breach, you have safe harbor [that way you will not be fined, because you were PCI DSS compliant. But wait. If there was a breach, you weren't PCI DSS compliant; so you weren't compliant, so you will pay. ... It is a little confusing; isn't it?

3. What merchants feel is that they are being fee'd to death. Look at a statement : monthly statement fees, online access fees, NABU fees, Visa network access fees, merchant club fees, international assessment fees, misuse authorization fees, chargeback fees, retrieval fees, AVS fees, and the fee I personally love the most, a 'reversal fee' (that is when a merchant wins a chargeback, the list processor charges them $7 to put money back in the merchant's account). Give me a break!"

4. It will probably take a court decision to answer the breach question, and as everyone is probably aware, the insurance company is going to look for a reason not to pay as fast as they can. The irony of it is that the insurance company will not pay because the merchant or processor was not PCI compliant.

Ultimately, it may be the member that will be held responsible, as they should have known what 'their' processor was doing. And if the breach is large enough, Congress points the finger at everyone, and everyone pays.

Limited effectiveness

Data security is very important, but realistically no merchant can ever be 100 percent PCI compliant unless they turn off their computers, unplug the terminal, smash the hard drives and stop taking credit cards.

We build a 10-foot wall, and the hackers and data thieves build an 11-foot ladder. It's the old story of good versus evil, spy versus spy or the kid who stopped a dam from leaking with one finger.

However, if it is just another fee that is dropped in your pocket, we need to be careful. When folks start throwing another fee into the mix, we wind up getting one step closer to government regulation. ... When I look at merchant account statements now, there are dozens ... of fees on some of these statements. ... A perfect example of this is on my desk right now: a merchant is being charged $12.95 per month for a paper replacement fee. However, he is a website business that uses Authorize.net."

Most banks and offer a PCI service of one form or another. The better services offer SAQ, scan, policy, and merchant education, along with some level of management console for the bank.

Even more interesting is the noncompliance fees being levied. Those run $20 to $50 per month for a Level 4 merchant. [One large acquirer] is on the street right now with a nasty-gram to Level 2 merchants that if they do not submit their required compliance documentation by a specific date, they will be assessed a large fine."

Regarding breach insurance, the early adopters of breach protection called it 'insurance,' and it went out to cover the merchants and processors. ... They require 'all in,' meaning the entire portfolio must be covered, as the policy is written to the acquirer/processor. Most of the programs I have seen have some serious limitations.

The problem is this protection in no way provides compliance. ... Many merchants believed they did not have to complete PCI DSS requirements because they have this protection. It is a problem now to re-educate these people about what their obligations are. Some frankly do not care, as it is cheaper to have the breach protection than to become and maintain PCI compliance. They do so at their own peril.

Liability issues

The purpose of breach protection, or an actual cyber insurance policy, is to offset the costs in the event of an incident. There is already evidence that the liability will flow downward, witness also that breaches such as Heartland and TJX yielded class actions that sought relief from those with the deepest pockets. Everyone loses. Remember the contractual relationships involved. The card brands have the contract with the bank, who has the contract with the processor or gateway or ISO and/or merchant. It gets ugly real fast. The weakest in the chain may not survive. Therefore, it is in everyone's best interest to ... not seek quick-fix alternatives.

What makes this topic so polarizing is the magnitude of liability and the uncertainty as to who ultimately owns the liability. To wit, when an acquirer assesses a monthly PCI fee that includes insurance, who is liable if, after a breach, the insurer declines the claim?

Consider a large portfolio utilizing a common third party. If that third party fails, each merchant using said third party is at risk for compliance fines. If fines are assessed and the insurer then declines coverage, is the acquirer responsible for refunding all those monthly fees? I hope this theoretical situation never materializes, but the question remains.

Data protection

Until rules existed and monetary fines were levied in response to breaches, the industry was not doing a competent job protecting cardholder data.

Consider the consequences were the breaches to have continued along the same trajectory as before the addition of the PCI DSS and the awareness brought about by the scanning and validation companies.