Credit card and payment information is one of the most sensitive pieces of information that some organizations handle. So, it goes without saying that there are standards and rules in place to protect such sensitive data. Violating the rules has severe consequences.
Payment Card Industry Data Security Standards (PCI DSS) are guidelines rolled out by the Security Standards Council (SSC) to protect credit card information. Businesses often incur financial penalty that often show up as ‘PCI non-compliance fees’ in the bank statement without knowing what went wrong.
Here’s everything you need to know about PCI DSS non compliance fees, why merchants are charged, and how to avoid these penalties.
What is the PCI non compliance fee?
PCI non compliance fee is a penalty charged by payment processing accounting providers when a business fails to provide proof of compliance with PCI-DSS or fails to follow the specified PCI guidelines and requirements.
Any business that processes online payments or transmits credit card information must implement and follow the security policies to ensure compliance. If the business doesn’t meet the PCI DSS requirements, the non compliance fee can vary from $500 to $500,000 as per the severity of the violation.
When are you required to pay PCI non compliance fees?
Generally, when you fail to provide proof of PCI compliance, your acquiring bank will impose a penalty. This will be billed monthly by your acquirer, and it accumulates over time. The exact amount varies between acquirers and also depends on the violation.
The longer you stay non-compliant, the more fees you will have to pay each month. The non compliance fee can be viewed in the monthly statement, and you are required to clear the due when you settle the banking statement monthly/quarterly.
PCI compliance fees vs. non-compliance fees
PCI compliance fee and non-compliance fee are two totally different fees. You can spot these easily in your contract and bank statements.
- PCI compliance fee: An organization is assigned a compliance level based on the number of payment transactions they process monthly. Each level has different PCI requirements to protect customers’ data. The PCI compliance fee is the monthly/yearly cost that payment processors charge to assist with maintaining compliance.
However, paying this fee doesn’t necessarily ensure complete compliance. The provider will take care of certain technical aspects, but the organization needs to fill out a Self Assessment Questionnaire (SAQ), perform regular network scans, and follow other PCI compliance requirements.
- PCI non-compliance fee: The non-compliance fee, on the other hand, is a penalty imposed by the payment processor if an organization hasn’t been compliant in the past month. It is specifically for businesses not complying with the PCI DSS, and the fee is calculated based on the compliance level the business falls under.
So, even if you are paying the PCI compliance fee, the non-compliance fee can show up on your bank statement if you are not meeting the PCI requirements.
Why do you need to analyze the PCI compliance level?
In order to steer clear of non-compliance fees, you need to understand and analyze your compliance level first.
This level is generally calculated based on the number of monthly payment transactions you process. A merchant’s level can also varies between credit card providers.
You will have to follow different PCI requirements to protect credit card information and clients’ data based on your level of compliance. For example, a level 1 business needs an external audit performed by a Qualified Security Assessor (QSA), while a level 4 business can complete an SAQ instead of an external audit.
Read more: How to Get PCI QSA Certification?
How to avoid PCI non-compliance fees?
Businesses should minimize unnecessary expenses, and PCI non-compliance fee is one such expense. Moreover, being non-compliant isn’t only about the extra fee but also poses a risk to your organization’s reputation. The best way to identify the areas of non-compliance is through the self-assessment questionnaire.
Let’s look at some tips to avoid PCI DSS non-compliance fees.
- Ensure that your devices, servers, and network are firewall protected to defend against unauthorized access.
- Install and use only PCI-approved credit card readers and validated payment processing software.
- Do not rely on vendor-supplied default settings, as those are prone to cyber-attacks.
- Change default system/router passwords and use strong (+ unique) passwords on your software and hardware.
- Ensure that you encrypt the transmission of all cardholder data.
- Install anti-virus software and keep it updated to protect cardholder data from existing system/network vulnerabilities.
- Restrict physical access to cardholder data and assign a unique ID for all user access to identify the responsible ID in case of a data breach.
- Have an information security policy and incident management policy in place to identify, mitigate, and respond to data breaches.
- Train your employees to follow the best practices for securing cardholder data.
- Regularly perform security audits and follow the PCI DSS requirements to stay compliant.
The PCI non-compliance fee can dent the financials, especially for small businesses. Organizations should avoid such fees by complying with the PCI standards and protecting cardholder data.
If you are looking to streamline your PCI DSS certification process, a compliance automation platform like Sprinto can come in handy. The platform helps you automate multiple facets of compliance and significantly shortens the time organizations take to get PCI certified. Want to know more? Get in touch with our team of experts and experience compliance that’s quick and easy. Schedule a demo here.
What happens if you are not PCI compliant?
If you are not PCI-compliant, it can result in hefty monthly non-compliance fees and penalties from payment service providers. Staying non-compliant also results in less security, leading to data breaches.
How many companies are not PCI compliant?
According to a Payment Security Report published by a division of Verizon, around 64% of companies are not PCI compliant.
Is PCI compliance mandatory in the USA?
PCI compliance is not federally mandated in the USA. However, it is mandated by the PCI SSC, and some states have also incorporated the PCI DSS in their state laws.