Uncovering the payment processing industry: Why is PCI Compliance so complicated?

By Joe De Marco

If you have been involved with credit card processing, then you know that merchant service providers are notorious for tacking on all sorts of additional processing fees and not disclosing them during the sales process. Most merchants are told they will be paying a fee at the start only to find out that the real amount being charged is far higher. Merchants are often left to find the fees buried somewhere in the pages and pages of fine print that make up their contracts. After a number of futile attempts to correct this most merchants will simply give up and accept the fees as a cost of doing business. As a registered ISV (Independent Software Vendor) Nautical Payment Solution is changing this process for the boating industry with an upfront transparent payment process that integrates with its own payment gateway giving you a direct connection to the backend processor. By removing the middleman, Nautical Payment Solutions can save you money and we can also administer your compliance.

WHAT ARE PCI FEES?

Before we go into the PCI Compliance process, we would first like to address the associated feesinvolved. The PCI compliance fee is the one fee that raises the most questions from merchants. What is the fee for, and what does PCI complaint mean? What services does the provider offer in exchange for it? The term “PCI fee” refers to any type of fee charged by your processor in conjunction with meeting PCI compliance standards. There are two kinds of PCI fees charged by credit card processors: PCI compliance fees and PCI non-compliance fees. Since you might see either one (or both!) of these fees on your processing statement, it’s important to understand what they’re for and why you have to pay them. You shouldn’t have to pay for both. The only time you would ever expect to pay a PCI fee is when you are NOT compliant.

PCI COMPLIANCE FEES

In theory, PCI compliance fees compensate your provider for any services they provide to ensure that your merchant account complies with all applicable PCI standards. We say “in theory” because you don’t always receive something of value in exchange for paying these fees.

PCI NON-COMPLIANCE FEES

A PCI non-compliance fee is nothing less than a fine or penalty for failing to keep your account compliant with PCI DSS standards. Please note that the PCI non-compliance fee doesn’t do anything to rectify the problem or bring your account into compliance. This fee will continue to be charged every month until you bring your account back into compliance. As long as you review your requirements and make sure you’re meeting them, you should never have to pay this fee. The sad truth is that far too many small business owners don’t take the time to review their processing statements every month. They often don’t realize they’re paying a non-compliance fee until many months after their account has become non-compliant.

WHAT ARE THE REQUIREMENTS FOR COMPLIANCE?

It is crucial that you see compliance as an asset rather than a hindrance in operations or a financial burden. These standards are designed to ensure that your customers’ credit card data is handled safely and securely to minimize any chance of a data breach.

The most important action you must take is to complete the Self-Assessment Questionnaire (SAQ), and this must be updated annually. Merchants are also required to conduct quarterly scans of their system to ensure there are no data breaches. Internal scans can be conducted inhouse, however all external scans must be done by an Authorized Scanning Vendor (ASV). A PCI vulnerability scan is a high-level, automated test that identifies and documents potential network vulnerabilities in an organization. No matter their size, all firms are required by the Payment Card Industry Data Security Standard (PCI DSS) to conduct internal and external network vulnerability scans at least once a quarter and after making any substantial changes to their networks.

Being PCI non-compliant can lead to your organization facing fines of $5,000 to $100,000 from payment processors. In addition to fines, there are a broad range of consequences associated with breaching the regulations, including a suspension from accepting credit cards, liability for fraud charges, and replacement costs.

80% OF ALL MERCHANTS ARE NOT COMPLIANCE

The reason most merchants aren’t compliant is due to a lack of understanding. The process can be very confusing if the merchant doesn’t have a knowledgeable IT to guide them through the process. Most merchants don’t realize the severity of not being compliant and they feel the time to become compliant isn’t worth it, feeling it is cheaper to pay the non-compliance fee. But this defeats the purpose of PCI Compliance, and it puts the merchant and their customer’s sensitive data at risk.

NAUTICAL PAYMENT SOLUTIONS PCI COMPLIANCE ADMINISTRATOR OPTION

Unlike most processors, Nautical Payment Solution takes an active role in compliance, and we can help you with any questions you may have during the PCI Compliance process. As mentioned, the requirements for compliance can be quite complicated if you don’t have the knowledge to manage the process. In the event you would rather not take on this responsibility, NPS has the experience, and we can handle this process for you. We will manage the scans with the Authorized Scanning Vendor (AVS) on your behalf to identify any vulnerabilities and take the necessary actions to assist you in proactively fortifying yoursecurity. We can help you reach the compliance finish line with ease. This removes the possibility of human error in the process and gets your organization in compliance in days rather than months. You can rely on Nautical Payment Solution. It’s a wise investment.

WHAT IS AN ISV and how do they differ from an ISO/MSP?

In the payment processing industry, most merchants process payments through a middleman ISO (independent sales organization) also sometimes referred to as an MSP (member service provider). Both are used interchangeably in the
payment industry. Visa calls them “ISOs” and MasterCard calls them “MSPs. They both represent the backend processor and are sales representatives that focus on selling and managing merchant accounts, provide limited support, but they don’t
have direct technical interaction with the actual payment process in most cases. So, most technical support or required assistance will be handled through third-party communication.

An ISV (independent software vendor) on the other hand is a company that develops and sells software solutions to businesses that run on one or more computer hardware or operating system (OS) platforms. In the context of payment processing, ISVs create applications and platforms that integrate payment processing functionality into existing solutions, such as software, point-of-sale (POS) systems, e-commerce platforms or customer relationship management (CRM) tools. By providing seamless payment gateway integration, ISVs have direct access to the backend processor and are responsible for technically maintaining the gateway and the payment process. This enables merchants to accept payments within their existing software infrastructure, improving the overall customer experience. Adding an integrated approach to payments to your software packages could be a game changing move, as it offers a broad range of benefits for end users and merchants like enhanced security and user experience, all of which serves to increase the value of your payment process. Integrated payments are payment processors that are embedded within other software programs used by businesses, such as accounting, customer relationship management (CRM), and specific industry management software. ISVs won’t redirect customers to a third-party payment processor, but process payments via an embedded payment gateway. This means every company will end up with a unique integrated payment system, because each business has specific processing requirements. Integrated payment solutions are designed to streamline payment processing and customer experience, optimizing the back end of operations to keep everything working together in harmony. With Nautical Payment Solution we take ISV duties to the next level in assisting in the PCI Compliance process. We take the payment process seriously with your best interest in mind.